[WEB SECURITY] Tomcat Banner

Rakesh Kumar rakesh at isac.gov.in
Tue Dec 20 22:20:22 EST 2005


I got the following answer when I was in Tomcat-user mailing list which may be
useful for your query :

1.
------------------------------------------------------------------------------
> Take a look at
>
> ./org/apache/catalina/util/ServerInfo.properties
>
> in CATALINA_HOME/server/lib/catalina.jar.
>
> It contains:
>
> server.info=Apache Tomcat/5.5.10
> server.number=5.5.10.0
>
> You can put different values in there and deploy the new properties file in
>
> CATALINA_HOME/server/classes/org/apache/catalina/util/ServerInfo.properties
------------------------------------------------------------------------------
2. The Server header can be configured in the <Connector> declaration.

server='Sun Solaris IIS/6.0'
-------------------------------------------------------------------------------


Rakesh Kumar,
Bangalore - 560017


Quoting Joseph Peloquin <jpelo1 at jcpenney.com>:

> Note: I received this on the webappsec list, and since I don't
> cross-post, removed the other lists from the reply.  Just a heads-up in
> case it works out for you and you'd care to share it with the other
> lists.
>
> This has been asked before on the list, and I don't think we ever came
> up with the solution.  If we did, my archive searching ability must take
> a hit during the Holidays.
>
> So, I did some research.. and AFAIK this is not possible without
> recompiling Tomcat yourself.
>
> I am not a Java programmer, so you may want to verify this on the Tomcat
> forums, but it appears you need to modify Constants.java, under the
> following path in Windows;
>
> apache-tomcat-5.5.14-src\connectors\jk\java\org\apache\coyote\ajp
>
> Unless I'm mistaken, the property you're looking for is;
>
> /**
> * Server string.
> */
> public static final byte[] SERVER_BYTES =
> ByteChunk.convertToBytes("Server: Apache-Coyote/1.1" + CRLF);
>
> And if I am mistaken, perhaps this will provide a clue to what you
> really need.
>
> Good luck!
>
> Cheers,
> Joey
>
> |-----Original Message-----
> |From: Andres Molinetti [mailto:andymolinetti at hotmail.com]
> |Sent: Tuesday, December 20, 2005 7:35 AM
> |To: pen-test at securityfocus.com
> |Cc: websecurity at webappsec.org; webappsec at securityfocus.com
> |Subject: [WEB SECURITY] Tomcat Banner
> |
> |Hi,
> |
> |I am trying to change Tomcat 5.5 Banner information so that it
> |avoids showing "Apache-Coyote/1.1".
> |
> |Putting aside all stuff about security through
> |obscurity...does anyone knows a way to do this?
> |
> |Thanks,
> |
> |Andres.-
>



----------------------------------------------------------------
PLEASE NOTE THE CHANGE IN DOMAIN PART OF THE "FROM :" ADDRESS.
Our domain is changed to 'isac.gov.in'.
Kindly update your Address Book accordingly.


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list