Fix : Apache Tomcat Default Files Vulnerability

 

!!!!!!!!!!!!!!! This solution will work on all Apache Tomcat Web server (i.e 7.x, 8.x, 9.x) !!!!!!!!!!!!!!!

When i was closing this vulnerability at that time i searched lots of article in internet but didn't found any appropriate solution .......... below solution i found by myself only which will work 100%

If you are running Apache Tomcat Web Server...... This is the vulnerability which you will receive always

Description : The default error page, default index page, example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.

Now if you want the fix of this without impacting your Development / Production environment  then read below article first, then understand and then made those changes   

"In simple words if hacker does have your web server version then it is easy for him to attack on your web server"

To check same i have created a test environment in 9.0 version so i can take screenshot and can share with you guys .............

How to close this vulnerability you will find complicated solution ...... below fix i have made in approx 20 Apache Tomcat Production servers which fixed this vulnerability.....  

How to check this vulnerability : 

Type server IP in you browser or you can type localhost from local server.

In my case i have installed Apache Tomcat web server in my system and when i will type localhost in my system it looks like below

This is the welcome page which should not appear

First we are hiding the welcome page 

Go to Tomcat installed Drive ( If you have installed other than default directory)

In my case i have installed in default directory which will be 

Go to conf directory

C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\conf

Open  web.xml in notepad

Go to last line in web.xml and then It will looks like ......

Now comment the line as i did

I have highlighted (who are not aware how to close the div) which you need to type to comment welcome file

Now restart tomcat service and now it will not show you the welcome page

I'm sharing the the page post made above changes

Don't be too exited because your vulnerability is still open guys.... 😀😀

It doesn't showing the welcome page but still showing the web server version. 

I would request you always disable welcome page as there is no impact to hide this, even it will secure you 

Fix : How to hide this version 

create folders as per below ( first create "org" folder then "apache" folder then "catalina" folder then "util" folder under "lib" folder)

org\apache\catalina\util

once created it will looks like 

Once folder created...... create a notepad file under util folder and file name should be  "ServerInfo.properties"  only........ please check it's extention should not be .txt. Once created it will show PROPERTIES File under Type column

Now copy paste below lines as it is in created file...

# Licensed to the Apache Software Foundation (ASF) under one or more

# contributor license agreements.  See the NOTICE file distributed with

# this work for additional information regarding copyright ownership.

# The ASF licenses this file to You under the Apache License, Version 2.0

# (the "License"); you may not use this file except in compliance with

# the License.  You may obtain a copy of the License at

#

#     http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

server.info=

server.number=

server.built=

Once above lines copied under file, save-close it and restart apache service

Once service restarted open the localhost or the server address from another intranet system

See the version is hidden   👀

Enjoy your vulnerability is closed................. 

Don't ask from your application team, i'm sure they are not aware of this 😀😄😏

If you enjoyed this article, follow and share it with your friends and colleagues!!!!!!!!!!! 👍

Posted By : Kamlesh Gaur