本文介绍如何通过删除Tomcat默认文件并设置自定义404错误页面来提高服务器安全性,避免潜在的中等风险漏洞,包括修改web.xml配置。
1.删除Tomcat中webapp下所有,保留你自己项目和ROOT两个,然后删除ROOT下所有文件,新建一个文件404.html,至于这个404页面写啥东西无所谓了
2.在conf/web.xml中添加如下
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
好了,保存一下,重新扫描发现这个漏洞没有了,
12085 - Apache Tomcat Default Files
Synopsis
The remote web server contains default files.
Description
The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.
See Also
| https://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6 |
| https://www.owasp.org/index.php/Securing_tomcat |
Solution
Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page.
Risk Factor
Medium
CVSS v3.0 Base Score
7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
| XREF | CWE:20 |
| XREF | CWE:74 |
| XREF | CWE:79 |
| XREF | CWE:442 |
| XREF | CWE:629 |
| XREF | CWE:711 |
| XREF | CWE:712 |
| XREF | CWE:722 |
| XREF | CWE:725 |
| XREF | CWE:750 |
| XREF | CWE:751 |
| XREF | CWE:800 |
| XREF | CWE:801 |
| XREF | CWE:809 |
| XREF | CWE:811 |
| XREF | CWE:864 |
| XREF | CWE:900 |
| XREF | CWE:928 |
| XREF | CWE:931 |
| XREF | CWE:990 |
Plugin Information:
Published: 2004/03/02, Modified: 2018/01/30
Plugin Output
tcp/443
The following default files were found :
/nessus-check/default-404-error-page.html
扫一扫
9404
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
