ColdFusion Errors and Security

I was chatting with Russ McRee this week about the danger of sites that dump too much debugging/error information when an error occurs.  This isn't specific to ColdFusion.  Programmers or all languages do this all the time.  CF does give us a LOT of potential detail though and that can be dangerous.  Luckily with ColdFusion it is quite easy to remedy so I thought I would do a quick reminder post.  To myself as much to anyone else who may read.

There are two ways I see the details being leaked out.

1) People have enabled the robust errors setting in CF Administrator.  This should never be done on a production server.  If your not sure, or even if you are sure, log into your CF Admin right now and check.  Is Enable Robust Exception Information checked off on your public server? 

2) Forgetting to remove debugging dump code. (I love CFDump)  Alternatively forgetting to turn 'dev' mode off.  I have been guilty of this.  I throw up some debug dumps into my error page to see whats going on rather then waiting for the error email, and forget to take em out.  Its sloppy yes, and easy to do.

So today I declare its check our error output day.  Are you letting too many details about your server and various scopes get published to just anyone?

In a related note it is always good to catch those errors, show a friendly (or mean) error page and then email or log those errors for you to review later.  Ben Nadel has a good post on exactly how to do that and make sure you are NOT passing any potentially sensitive data in that email as well.

Russ also pointed me to this page, which is an interesting take on how a hacker may see CF and identify possible vulnerabilities.

Any other scenarios I missed?