https://issues.apache.org/bugzilla/show_bug.cgi?id=52751
Bug #: 52751
Summary: Optimized configuration of the system info displayed
in the default error page
Product: Tomcat 7
Version: trunk
Platform: PC
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: polina.gen...@gmail.com
Classification: Unclassified
Created attachment 28372
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28372
Patch in ErrorReportValve.java and docu page + 2 screenshots
Hi,
Here's an enhancement patch for the system info displayed in the default error
page and the way it is retrieved. The patch makes it possible to reuse the
value of the server header configuration if it is available. Thus the system
information revealed in the server header and the default error page would be
consistent and would be easier to maintain.
It is known that system information disclosure is an easy to fix, yet serious
security flaw as it opens the door to all attackers who wouldn’t resist
exploiting known vulnerabilities for the given system version. That’s why it
is recommended (in all Tomcat security configuration guides) to customize both
the server header and the server.info property. On the other hand, with this
enhancement the protection from system information leakage can be done easier -
with only one configuration and without worrying about the side effects of
custom changes in the server.info property.
Except the patch there are also two screenshots attached:
–Default error page when server header is configured
-Default error page when server header is not configured
Best Regards,
Polina
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
