Bug 502908 - Current page not found handling is a Cat 2 finding with the Tomcat STIG
Current page not found handling is a Cat 2 finding with the Tomcat STIG
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Tomcat (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Jenny Galipeau
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-05-27 13:49 EDT by Sean Veale
Modified: 2015-01-04 18:38 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:35:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
PKI 404 Error Handling (38.28 KB, patch)
2009-06-16 18:29 EDT, Matthew Harmsen
no flags Details | Diff
PKI 404 Error Handling (dogtag) (55.65 KB, patch)
2009-06-16 18:30 EDT, Matthew Harmsen
no flags Details | Diff
screen shot of custom Error 404 page (106.89 KB, image/png)
2009-06-26 12:34 EDT, Jenny Galipeau
no flags Details

  None (edit)
Description Sean Veale 2009-05-27 13:49:03 EDT
Description of problem:

The 404 error page is a security issue. Specifically it divulges Tomcat and the version number.

This should be corrected for all the tomcat instances (CA,KRA,TKS probally RA)
 
If the error page directive in the server.xml fileis set and supply a page, that is all that is needed.  The directive would look something like this:

<error-page> 
<error-code>404</error-code>
<location>404.html</location>
</error-page>



Version-Release number of selected component (if applicable):
CS 8.0 Beta2

How reproducible:

Always
Steps to Reproduce:
1.For any of the instances that use tomcat go to a page that doesn't exist. 
2.
3.
  
Actual results:
Page that shows the version info

Expected results:

New page, that can be modified to not show version info.

Additional info:
Comment 1 Matthew Harmsen 2009-06-10 14:36:00 EDT
Actually, the "404.html" page needs to contain enough information to prevent  Microsoft IE from overriding this behavior with its own "friendly" 404 error messages:

    http://support.microsoft.com/default...;en-us;Q294807

Additionally, are "404" error codes the ONLY error codes specified by the Tomcat STIG to require special handling?
Comment 2 Matthew Harmsen 2009-06-13 20:44:29 EDT
Re-posting URL:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294807
Comment 3 Matthew Harmsen 2009-06-16 18:29:58 EDT
Created attachment 348176 [details]
PKI 404 Error Handling
Comment 4 Matthew Harmsen 2009-06-16 18:30:24 EDT
Created attachment 348177 [details]
PKI 404 Error Handling (dogtag)
Comment 6 Andrew Wnuk 2009-06-16 20:40:46 EDT
attachment (id=348176)
attachment (id=348177)
+awnuk
Comment 8 Matthew Harmsen 2009-06-16 20:52:24 EDT
NOTE:  Similar "customized" 404 error pages were applied to the RA and TPS
       Apache PKI subsystems as well.  As a result, there was a need to
       generate a top-level port-agnostic TPS Services page.

cd pki/base

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      ca/shared/conf/web.xml
M      tks/shared/conf/web.xml
M      ra/apache/conf/httpd.conf
M      ra/lib/perl/PKI/RA/DonePanel.pm
M      ocsp/shared/conf/web.xml
M      tps/configure
M      tps/Makefile.in
M      tps/configure.ac
A      tps/lib/perl/PKI/Service
A      tps/lib/perl/PKI/Service/Op.pm
M      tps/lib/perl/PKI/TPS/DonePanel.pm
M      tps/lib/perl/PKI/TPS/TKSInfoPanel.pm
A      tps/lib/perl/PKI/Base
A      tps/lib/perl/PKI/Base/Conf.pm
A      tps/lib/perl/PKI/Base/Registry.pm
M      tps/setup_package
M      tps/apache/conf/httpd.conf
A      tps/forms/index.cgi
M      tps/forms/index.html
M      tps/Makefile.am
M      kra/shared/conf/web.xml

% svn commit
Sending        base/ca/shared/conf/web.xml
Sending        base/kra/shared/conf/web.xml
Sending        base/ocsp/shared/conf/web.xml
Sending        base/ra/apache/conf/httpd.conf
Sending        base/ra/lib/perl/PKI/RA/DonePanel.pm
Sending        base/tks/shared/conf/web.xml
Sending        base/tps/Makefile.am
Sending        base/tps/Makefile.in
Sending        base/tps/apache/conf/httpd.conf
Sending        base/tps/configure
Sending        base/tps/configure.ac
Adding         base/tps/forms/index.cgi
Sending        base/tps/forms/index.html
Adding         base/tps/lib/perl/PKI/Base
Adding         base/tps/lib/perl/PKI/Base/Conf.pm
Adding         base/tps/lib/perl/PKI/Base/Registry.pm
Adding         base/tps/lib/perl/PKI/Service
Adding         base/tps/lib/perl/PKI/Service/Op.pm
Sending        base/tps/lib/perl/PKI/TPS/DonePanel.pm
Sending        base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm
Sending        base/tps/setup_package
Transmitting file data ...................
Committed revision 617.



cd pki/dogtag

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
A      ocsp-ui/shared/webapps/ocsp/404.html
M      ocsp-ui/dogtag-pki-ocsp-ui.spec
A      tps-ui/shared/docroot/footer.vm
M      tps-ui/shared/docroot/tps/admin/console/config/donepanel.vm
A      tps-ui/shared/docroot/index.vm
A      tps-ui/shared/docroot/header.vm
A      tps-ui/shared/docroot/404.html
M      tps-ui/dogtag-pki-tps-ui.spec
M      ca/pki-ca.spec
M      kra-ui/dogtag-pki-kra-ui.spec
A      kra-ui/shared/webapps/kra/404.html
A      ca-ui/shared/webapps/ca/404.html
M      ca-ui/dogtag-pki-ca-ui.spec
M      tks/pki-tks.spec
M      ra/pki-ra.spec
M      ocsp/pki-ocsp.spec
M      tps/pki-tps.spec
A      tks-ui/shared/webapps/tks/404.html
M      tks-ui/dogtag-pki-tks-ui.spec
M      kra/pki-kra.spec
A      ra-ui/shared/docroot/404.html
M      ra-ui/dogtag-pki-ra-ui.spec

% svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/ca-ui/dogtag-pki-ca-ui.spec
Adding         dogtag/ca-ui/shared/webapps/ca/404.html
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/kra-ui/dogtag-pki-kra-ui.spec
Adding         dogtag/kra-ui/shared/webapps/kra/404.html
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/ocsp-ui/dogtag-pki-ocsp-ui.spec
Adding         dogtag/ocsp-ui/shared/webapps/ocsp/404.html
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/ra-ui/dogtag-pki-ra-ui.spec
Adding         dogtag/ra-ui/shared/docroot/404.html
Sending        dogtag/tks/pki-tks.spec
Sending        dogtag/tks-ui/dogtag-pki-tks-ui.spec
Adding         dogtag/tks-ui/shared/webapps/tks/404.html
Sending        dogtag/tps/pki-tps.spec
Sending        dogtag/tps-ui/dogtag-pki-tps-ui.spec
Adding         dogtag/tps-ui/shared/docroot/404.html
Adding         dogtag/tps-ui/shared/docroot/footer.vm
Adding         dogtag/tps-ui/shared/docroot/header.vm
Adding         dogtag/tps-ui/shared/docroot/index.vm
Sending        dogtag/tps-ui/shared/docroot/tps/admin/console/config/donepanel.vm
Transmitting file data ......................
Committed revision 618.
Comment 10 Jenny Galipeau 2009-06-26 12:34:18 EDT
Created attachment 349575 [details]
screen shot of custom Error 404 page

Verified for all subsystem's web UIs - all return custom 404 error page 
See attached CA error 404 for example

Note You need to log in before you can comment on or make changes to this bug.