If you’ve ever done a penetration test or got one done, you may have come across the following scenario:
HTTP Service running on port 8080, revealing the version information of the product in it banner.
The banner revealed is Apache-Coyote/1.1.
This is the banner of the Apache Tomcat Web Server which runs on port 8080 by default.
Apache-Coyote/1.1 Version Disclosure
Now, as per good security practice, the banner should be removed or modified, so that it no longer reveals the version number.
This can be achieved by editing your server.xml configuration file found at the below location:
CATALINA_HOME/conf/server.xml
Original server.xml reveals version information
Modified server.xml
You may need to restart your server for the changes to reflect.
Once the Tomcat server is up, test the server to see if it shows the custom header.
> telnet localhost 8080 HEAD / HTTP/1.0 <CRLF> <CRLF>
Web Server with Custom HTTP Banner
Hope this helps others who are looking for a solution to the banner version disclosure
Check out OWASP’s article on Securing Tomcat for more details.
–
Wasim
Posted by www.coresec.org » [Tip] Modify Apache-Coyote Banner on April 9, 2011 at 1:39 am
[...] VN:F [1.9.8_1114]please wait…Rating: 0.0/5 (0 votes cast)VN:F [1.9.8_1114]Rating: 0 (from 0 votes)Share this: [...]