ColdFusion Errors and Security

I was chatting with Russ McRee this week about the danger of sites that dump too much debugging/error information when an error occurs.  This isn't specific to ColdFusion.  Programmers or all languages do this all the time.  CF does give us a LOT of potential detail though and that can be dangerous.  Luckily with ColdFusion it is quite easy to remedy so I thought I would do a quick reminder post.  To myself as much to anyone else who may read.

There are two ways I see the details being leaked out.

1) People have enabled the robust errors setting in CF Administrator.  This should never be done on a production server.  If your not sure, or even if you are sure, log into your CF Admin right now and check.  Is Enable Robust Exception Information checked off on your public server? 

2) Forgetting to remove debugging dump code. (I love CFDump)  Alternatively forgetting to turn 'dev' mode off.  I have been guilty of this.  I throw up some debug dumps into my error page to see whats going on rather then waiting for the error email, and forget to take em out.  Its sloppy yes, and easy to do.

So today I declare its check our error output day.  Are you letting too many details about your server and various scopes get published to just anyone?

In a related note it is always good to catch those errors, show a friendly (or mean) error page and then email or log those errors for you to review later.  Ben Nadel has a good post on exactly how to do that and make sure you are NOT passing any potentially sensitive data in that email as well.

Russ also pointed me to this page, which is an interesting take on how a hacker may see CF and identify possible vulnerabilities.

Any other scenarios I missed?

TweetBacks
Comments
Stefan le Roux's Gravatar 1. If you don't need web access to your http://domainname/CFIDE/administrator/index.cfm, it's probably a good idea to restrict access to the CFIDE directory as well;

2. "Use Application.cfc" to govern all requests made to your application;

3. Think long and hard about setting CFC function access="remote", and secure them via authentication as well.

4. Think like a thief.

Great post, you made me think about these issues again, and there's some stuff I need to go an lock down ...
# Posted By Stefan le Roux | 8/29/08 1:22 AM

NAVIGATION

Home
About Me

RSS


Search

Subscribe

Enter your email address to subscribe to this blog.

Recent Entries

Inception Plot Questions
Random Chuck Norris Fact Generator With A Twist
Virtual Currency for Buses
Applying ColdFusion Security Patches Gotcha
Privacy, Walled Gardens, Standards and Our Future

Recent Comments

KTML File Uploads Hang in IE7 with Flash 10 and How to Fix
Eric said: Thanks much [More]

Inception Plot Questions
hohack said: @ switchkosterice 5 comments, those kids are from when mal is alive still [More]

Inception Plot Questions
Ira said: Just saw it a 2nd time. Do so, and pay extremely close attention to two details throughout the film:... [More]

Inception Plot Questions
said: [More]

Inception Plot Questions
switchkosterice said: The kids at the end actually have aged. In fact, they're an entirely different (and older) set of ac... [More]

Calendar

Sun Mon Tue Wed Thu Fri Sat
    123
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Archives By Subject

blogs (31) [RSS]
books (4) [RSS]
Crazy (39) [RSS]
DIY (8) [RSS]
Flex (3) [RSS]
games (10) [RSS]
GRRR (13) [RSS]
Ideas (11) [RSS]
Local (14) [RSS]
LOLpics (2) [RSS]
money (9) [RSS]
music (3) [RSS]
Personal (27) [RSS]
Photos (8) [RSS]
Politics (8) [RSS]
Projects (22) [RSS]
Review (19) [RSS]
RPM (9) [RSS]
Spam (16) [RSS]
Technology (68) [RSS]
Testing (3) [RSS]
TV (15) [RSS]
video (32) [RSS]
Web Dev (224) [RSS]
World of Warcraft (16) [RSS]