Apache Tomcat servlet/JSP container default files

Follow

Summary

A fresh Apache Tomcat installation typically includes a number of default files, example JSPs and example Servlets that can be visible via the server's web interface.  These files can help an attacker to guess the exact version of Apache Tomcat that you are running, and may provide other useful information.

Impact

The impact of this vulnerability depends on your server and your security practices:

  • The information revealed by these file may be helpful to a hacker attempting to compromise your system.  In addition, the presence of these files may give the hint the web server was set up by someone who is not security conscious, and therefore may contain other vulnerabilities.
  • On the other hand, if your installed version of Tomcat that doesn't have known security issues, then allowing potential attackers to determine the version does not present any risks.

Solution

We recommend that you remove any default pages and example JSPs and servlets.  For more information, refer to OWASP: Securing Tomcat.

Have more questions? Submit a request

Comments

Powered by Zendesk