Endevor Web Services: How to prevent stack trace showing debug information
search cancel

Endevor Web Services: How to prevent stack trace showing debug information

book

Article ID: 368503

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

The Apache Tomcat instance hosting the Endevor web service was configured to display detailed error messages when an application exception was generated. Printing debugging information in the form of a stack trace associated with an error can leak information about the internal structure of the application which could potentially lead to the discovery or classification of additional vulnerabilities.

Environment

Endevor Web Services

Cause

Some information such as libraries referenced in the trace could point a hacker in the direction of an exploit. 

Resolution

The stack trace should be preventable by setting showReport=false on the error valve:

showReport    
Flag to determine if the error report (custom error message and/or stack trace) is presented when an error occurs. If set to false, then the error report is not returned in the HTML response

server.xml:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
       showReport="false" showServerInfo="false" />            

Powered by Wolken Software