【error】漏洞修复记录

1、nginx使用OPTIONS方式请求报错，暴露nginx版本

nginx配置里加上

server_tokens off;

即可隐藏nginx版本

2、tomcat404、504等等报错时，暴露tomcat版本号

web.xml加上

<error-page>
    <error-code>404</error-code>
    <location>/404.html</location>
</error-page>

然后在该项目根目录放入404页面即可

3、druid监控平台页面暴露至外网

web.xml中原配置如下

<servlet>
  <servlet-name>DruidStatView</servlet-name>
  <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
</servlet>
<servlet-mapping>
  <servlet-name>DruidStatView</servlet-name>
  <url-pattern>/druid/*</url-pattern>
</servlet-mapping>

修改增加ip白名单限制以及账号密码登录限制才可访问

<servlet>
  <servlet-name>DruidStatView</servlet-name>
  <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
  <init-param>
      <!-- 白名单 -->
      <param-name>allow</param-name>
      <param-value>127.0.0.1</param-value>
  </init-param>
  <init-param>
    <!-- 账号 -->
    <param-name>loginUsername</param-name>
    <param-value>admin</param-value>
  </init-param>
  <init-param>
    <!-- 密码 -->
    <param-name>loginPassword</param-name>
    <param-value>mydruid</param-value>
  </init-param>
</servlet>
<servlet-mapping>
  <servlet-name>DruidStatView</servlet-name>
  <url-pattern>/druid/*</url-pattern>
</servlet-mapping>

4、某些cookie没有设置httponly或者secure属性

增加过滤器，拦截请求，设置cookie属性

package com.zjasm.filter;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.annotation.WebFilter;  
import javax.servlet.http.Cookie;  
import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletResponse;  
import java.io.IOException;  

/**  
* Servlet Filter implementation class CookieFilter  
*  
* 解决 Cookie未设置HttpOnly && Cookie未设置Secure标识 问题  
*  
*/  
@WebFilter(filterName="cookieFilter",urlPatterns={"/*"})  
public class CookieFilter implements Filter{  
/**  
* Default constructor.  
*/  
public CookieFilter() {  
// TODO Auto-generated constructor stub  
}  

/**  
* @see Filter#destroy()  
*/  
public void destroy() {  
// TODO Auto-generated method stub  
}  

/**  
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)  
*/  
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {  
HttpServletRequest req = (HttpServletRequest)request;  
HttpServletResponse resp = (HttpServletResponse)response;  
Cookie[] cookies = req.getCookies();  
if (cookies != null) {  
for (Cookie cookie : cookies) {  
String value = cookie.getValue();  
StringBuilder builder = new StringBuilder();  
builder.append(cookie.getName()+"="+value+";");  
builder.append("Secure;");//Cookie设置Secure标识  
builder.append("HttpOnly;");//Cookie设置HttpOnly  
// Calendar cal = Calendar.getInstance();  
// cal.add(Calendar.HOUR, 1);  
// Date date = cal.getTime();  
// Locale locale = Locale.CHINA;  
// SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);  
// builder.append("Expires="+sdf.format(date));  
resp.addHeader("Set-Cookie", builder.toString());  
resp.addHeader("x-frame-options","SAMEORIGIN");//Header配置X-Frame-Options  
}  

}  
chain.doFilter(request, response);  
}  

/**  
* @see Filter#init(FilterConfig)  
*/  
public void init(FilterConfig fConfig) throws ServletException {  
// TODO Auto-generated method stub  
}  

}

5、nginx404页面添加

如404为tomcat抛出，经过nginx需要配置

proxy_intercept_errors on;

404页面配置，root代表nginx目录根目录路径，404页面放在html目录下

error_page 404 /404.html;

location = /404.html {
  root html;
}

6、tomcat启动环境异常

打开catalina.bat（windows环境），在setlocal下设置jdk环境

set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_91
set JRE_HOME=C:\Program Files\Java\jdk1.8.0_91\jre

7、tomcat运行内存不足

在“rem —– Execute The Requested Command ———————-”下加入

_JAVA_OPTS=”-server -Xms800m -Xmx800m -XXNewSize=256M -XX:PermSize=256M -XX:MaxNewSize=512m -XX:MaxPermSize=512m”_