search cancel

Default Error Pages Present - Endevor Webservices


Article ID: 134199


Updated On:


Endevor Software Change Manager (SCM) Endevor Software Change Manager - Natural Integration (SCM) Endevor Software Change Manager - ECLIPSE Plugin (SCM) Endevor Software Change Manager - Enterprise Workbench (SCM)


Penetration testing has identified an issues. This one is for "Default Error Pages Present - Endevor Webservices". Error pages were returned by the server that are default for the Apache Tomcat technology in use. This could provide an attacker with information about the specific technology versions in use on the target system aiding further attacks to be devised. Such error pages enabled the version of web server to be enumerated through their content.


Release : 18.0

Component : CA Endevor Software Change Manager


Default Tomcat behavior. 


In server.xml, add this line:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

This will globally suppress the Tomcat version and error report, and just show the error code, in webapps not using custom error pages.

Upgrade to latest maintenance: SO09627