search cancel

JBoss page found under PAM's URL shows server information

book

Article ID: 113271

calendar_today

Updated On:

Products

CA Process Automation Base

Issue/Introduction

Under Process Automation's URL, 2 addresses are found that show server information, which can be considered as a security breach.

The addresses are the following:


http://PAM_server:PORT/status
http://PAM_server:PORT/status?full=true


Those addresses show the following:



User-added image

Cause

This is caused by the default configuration of JBoss application server, which can be changed.

Environment

Process Automation 4.3, 4.3.01, 4.3.02 and 4.3.03

Resolution

In order to get rid of this page, the following steps can be followed:


1.- Stop PAM services.

2.- Navigate to: ..PAM\server\c2o\deploy\ROOT.war\WEB-INF

3.- Take a backup of "web.xml" file and place that copy outside PAM folder.

4.- Open the original file and comment everything between lines 13 and 22, as follow:


<!--

<servlet>

<servlet-name>Status Servlet</servlet-name>

<servlet-class>org.jboss.web.tomcat.service.StatusServlet</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>Status Servlet</servlet-name>

<url-pattern>/status</url-pattern>

</servlet-mapping>

-->


5.- Save the change and start PAM service.


With this change, both addresses will now show the following:



User-added image

Attachments