httpd.conf options that are not in Tomcat's xml config files

[Kydd]

We ran a vulerability assesment and here are 2 issues that popped up. Since Tomcat does not have an httpd.conf file, what options are needed to be set to fix these? Also, what's the option for creating custom 404/403 pages?

The Mac OS X Finder creates a file called .DS_Store in each directory that it views. Some versions of OS X include system configuration information and file location information in these files. The .DS_Store files can be accessed from this server via a web request such as

http://IP/.DS_Store.

Service: Apache-Coyote/1.1
Bugtraq:3316
Configure your Apache server to block access to these files with the FileMatch feature of httpd.conf.

Some distributions of Apache, especially in Red Hat 7.0, allow an attacker to probe a system for user names via requests for
user home pages (e.g.,

http://host/~username).

Service: Apache-Coyote/1.1
CVE:CAN-2001-1013
Bugtraq:3335
Disabling the UserDir directive in the Apache configuration file (httpd.conf) will prevent this, although it will also prevent users from providing their own web pages. Alternately, specify ErrorDocuments for both 403 (Forbidden) and 404 (Page Not Found) responses.

 

[sedj]

Any Apache questions should be directed at the Apache forum.

Not quite sure what you mean by "Since Tomcat does not have an httpd.conf file, what options are needed to be set to fix these" ... fix what exactly ? What does httpd.conf have to do with Tomcat config ?

Custom HTTP status error pages :

http://www.cymulacrum.net/writings/tomcat5/c581.html

(section 6.2)

--------------------------------------------------
Free Java/J2EE Database Connection Pooling Software

http://www.primrose.org.uk

 

[Kydd]

Thanks for the reply and link to the custom pages.

I can see how my wording of the question is confusing. What I'm looking for is, are there Tomcat-equivalent directives to httpd.conf's "FileMatch" and "UserDir" options?