Known Issue ID | FMESERVER-10753 |
---|---|
Discovery | 2018 |
Affects | All Versions |
Resolved | 2022.2 |
Symptom
A security scan of FME Server has reported a vulnerability with the use of default files in Apache Tomcat. The report may be similar to that below, this is an example from the vulnerability scanner Nessus.
Synopsis: The remote web server contains default files.
Description: The default error page, default index page, example JSPs and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.
Solution: Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page.
Cause
The vulnerability with default files is referring to the error pages that are returned when you go to a non-existent URL endpoint from the root of your FME Server. For example https://<hostname>/testing
The vulnerability is highlighting that this page discloses the technology stack as Tomcat. It is expected that these pages should be FME Server branded like if you were to go to a URL endpoint that does not exist from one of FME Server's web apps e.g. https://<hostname>/fmeserver/testing
Resolution
Note in FME Server 2022.2 and newer option 3 is deployed with the installation by default.
Option 1: Create Custom Error Page
Create your own custom error pages for the ROOT webapp in tomcat.
- Open a text editor as an administrator and open web.xml located in <FMEServerInstallDir>\Utilities\tomcat\conf
- Go to the bottom of the page and above closing </web-app> element add in the following:
<error-page> <error-code>404</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>403</error-code> <location>/error.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.jsp</location> </error-page>
- Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and create a new file called error.jsp. You can customize the contents of this file however you wish. This will be the new page that is returned if you stumble across an error at the root URL of your FME Server. The simple example I used in my testing was:
<!doctype html> <title>Something went wrong!</title> <body> <p>There was an error accessing FME Server, please return to <a href="https://<hostname>/fmeserver"https://<hostname>/fmeserver</a> and start again.</p> </body>
- Restart the FME Server Web Application Server Service
- Navigate to http(s)://<hostname>/testing and you should now see your custom HTML page.
Note: If you would prefer you can create a different .jsp page for each error code and edit the location tags in step 2 to point to the name of each new page.
Option 2: Disable Tomcat Name/Version
Create ServerInfo.properties file to hide the Tomcat Name and Version from the default error page.
- Go to <FMEServerInstallDir>\Utilities\tomcat\lib and create additional folders org\apache\catalina\util
- Create a new properties file with the name ServerInfo.properties inside the new util folder
- Edit the file and add the line server.info=Application Server
- Save the file and restart the FME Server Web Application Server Service
- Navigate to http(s)://<hostname>/testing and you should now see 'Application Server' instead of 'Apache Tomcat/Version'
Option 3: Hide Tomcat Name/Version and Message Details
Note, this configuration is included by default in FME Server 2022.2 and newer.
- Open a text editor as an administrator and open server.xml located in <FMEServerInstallDir>\Utilities\tomcat\conf
- Go to the bottom of the page and below the closing </Host> tag insert the following:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />
- Save the file and restart the FME Server Web Application Server Service
- Navigate to http(s)://<hostname>/testing and you should now see only the error code is reported.
Troubleshooting
For option one, If using Internet Explorer as your web browser you will need to enable ‘Friendly Error Messages’ for this page to display correctly.
Comments
0 comments
Please sign in to leave a comment.