Custom page for HTTP 404 page URL in Jenkins - security

My Jenkins is running on https://myhost:9043 using the standalone war on Linux with the below command.
java -jar jenkins.war
However, when I try the following URL for say https://myhost:9043/<any random text> the resource uri is obviously not found.
The problem, however, is I get output in the browser as
HTTP 404 error URI not found Powered by Jetty://9.4.27.vXXXX
I wish not to reveal the Jetty version.
Is there a way to display a custom error page for incorrect URIs thus avoiding revealing the Jetty version? If not, can I somehow hide the Jetty version from being displayed to anonymous users?
I'm not a pure java programmer but just a DevOps admin.

You can override the Jetty version with adding to your command line -Djetty.version=NOTHING
Otherwise I created the issue https://issues.jenkins-ci.org/browse/JENKINS-62890 to have a custom error page from users

Related

Information Disclosue issue in Wildfly and Apache Web Server

We are working in an environment where UI Requests flow to a WildFly Server (where the WAR is deployed) versioned 10.1.0 via an Apache Web Server versioned 2.4
We were running Security tests and when using a VirtualDirContext, it was possible to bypass the security constraints and view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request via Burp.
How we reproduce the vulnerability in Burp:
We capture a random Request via the UI and replicate it in Burp.
We turn the Request into a GET Request, mention the path of a JSP file and add %2520 to it.
This issue is reproducible even if the Requests go directly to the WildFly Server instead of via the Apache Web Server.
Is there a way to prevent this vulnerability? We believe validating each Request for the presence of %2520 in it in the Filter layer may not be a comprehensive fix.
In simple words, when we use a URL that contains the path of a JSP file present in the code, appended with %2520, the content of the JSP was disclosed. Is there a way to prevent this?

Localhost webserver denying PUT request

I have configured a webserver on localhost with https using Microsoft IIS Administration. I am able to browse directory with files with browsers and Visual Studio using localhost prefixed with https, such as https://localhost/trial etc.
I wish to upload a file to the said directory, ie., trial, using Libcurl to test some features. Unfortunately I'm unable to do so.
Using the same Libcurl example as given on
Libcurl File Upload
-modified for https, the console window tells me that the following has occurred, upon running the code :
IIS 10.0 Detailed Error - 405.0 - Method Not Allowed
HTTP Error 405.0 - Method Not Allowed The page you are
looking for cannot be displayed because an invalid method (HTTP verb)
is being used.
I checked the IIS Administrator and saw that all authorizations are allowed. I suppose the fact that it is flagging a HTTP verb issue rather than HTTPS as I'd enabled and used as URL in code isn't a big thing?
Libcurl uses PUT for uploading files, so should be an allowed verb.
I am quite new to this, so I'm not certain I did something incorrect with the setting up of the webserver, or whether there are security issues or permission issues which are causing a problem here.
As far as I know, there is impossible to use http put or post a file to a IIS web application's folder without writing server-side code. Otherwise, configure an FTP site on your IIS installation. Then you could use ftp command to upload the file.
If you really need using HTTP put or post to upload the file, you could consider using WebDav.
More details about what is webdev and how to use it, you could refer to below article.
https://learn.microsoft.com/en-us/iis/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-7/what39s-new-for-webdav-and-iis-7
Try hostname instead of localhost
Add a trailing slash (/) for the directory.

“The page you are requesting cannot be served because of the extension configuration.” error message

I am trying to run class asp site in iis 7.5, I have verified that asp feature is turned on. I have read on other question that running aspnet_regiis.exe will solve. But how. I run this and got information about command.
try with add handler mapping with
request Path = *.asp
Executable = C:\Windows\System32\inetsrv\asp.dll
Hope this will work

How to test a 503 custom error page.

A rather strange question:
How can I test a custom 503 error page without restarting the service.
(Struts application on tomcat with apache front loading)
"What I really want is some how SIMULATE that the tomcat crashed, and apache as the front end will grab the error page, and redirect to the custom error page"
You could create a Servlet which you exclude from production builds. This Servlet examines a parameter (e.g. errorCode) and sets it using the HTTP Servlet Response object: javax/servlet/http/HttpServletResponse.html#sendError(int, java.lang.String).
Then you are able to test all kinds of error codes, e.g.:
http://myapp.com/webapp/errorServlet?503
Not nice, but should work... if you want to unit test your Apache Web Server only you could create a separate WAR file (depends on your test scope).
Have you tried to use curl?
curl -H http://your/path/to/503page

problem using a custom 404 page in IIS

I have a web site with a child directory set up as an application. I set up the application to use a custom 404 page. When I navigate to the url and put in a non existent page I get the following error message. Any other asp page in the application works fine. There isn't even any script in the 404 page... just plain html so I'm not sure what is causing this. I've tried creating an application pool specifically for this application but that didn't help. Thanks.
Error message: The specified request cannot be executed from current Application Pool
Try to create a registry key with the name IgnoreAppPoolForCustomErrors (type DWORD, value 1) in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\
See http://blogs.msdn.com/rakkimk/archive/2006/09/01/735684.aspx or http://www.yanghengfei.com/show-131-1.html for more information - seems to be a not so uncommon problem.

Resources