
ColdFusion Errors and Security
I was chatting with Russ McRee this week about the danger of sites that dump too much debugging/error information when an error occurs. This isn't specific to ColdFusion. Programmers or all languages do this all the time. CF does give us a LOT of potential detail though and that can be dangerous. Luckily with ColdFusion it is quite easy to remedy so I thought I would do a quick reminder post. To myself as much to anyone else who may read.
There are two ways I see the details being leaked out.
1) People have enabled the robust errors setting in CF Administrator. This should never be done on a production server. If your not sure, or even if you are sure, log into your CF Admin right now and check. Is Enable Robust Exception Information checked off on your public server?
2) Forgetting to remove debugging dump code. (I love CFDump) Alternatively forgetting to turn 'dev' mode off. I have been guilty of this. I throw up some debug dumps into my error page to see whats going on rather then waiting for the error email, and forget to take em out. Its sloppy yes, and easy to do.
So today I declare its check our error output day. Are you letting too many details about your server and various scopes get published to just anyone?
In a related note it is always good to catch those errors, show a friendly (or mean) error page and then email or log those errors for you to review later. Ben Nadel has a good post on exactly how to do that and make sure you are NOT passing any potentially sensitive data in that email as well.
Russ also pointed me to this page, which is an interesting take on how a hacker may see CF and identify possible vulnerabilities.
Any other scenarios I missed?

NAVIGATION
HomeAbout Me
RSS
Search
Subscribe
Recent Entries
Flash Camp BostonNew Blog Design
Pre-Conference Training at cf.Objective()
FireFox 3.6 KTML Editor Fix
I am now a part of the Adobe Community Professionals Group
Recent Comments
FireFox 3.6 KTML Editor Fix
Joshua said: While changing that far will load the editor, does it show the drop down class menu correctly now?
[More]
FireFox 3.6 KTML Editor Fix
Al Johnson said: HI,
I am still fighting to keep my code going as there is nothing better than KTML nad I have writt...
[More]
Google Chrome Review
web development said: ow there are all kinds of cool architectural ideas around Google Chrome, but right now, they don't m...
[More]
FireFox 3.6 KTML Editor Fix
wayne said: i have been having issues with the code editor myself, it seems i can no longer copy and paste or th...
[More]
submiting a form inside an iframe from outside the iframe
Peter said: I doubt you’re still having this problem over 2 years later, but if anyone else finds this page on t...
[More]
Calendar
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
Archives By Subject
blogs (31) [RSS]books (4) [RSS]
Crazy (39) [RSS]
DIY (8) [RSS]
Flex (3) [RSS]
games (10) [RSS]
GRRR (13) [RSS]
Ideas (11) [RSS]
Local (14) [RSS]
LOLpics (2) [RSS]
money (9) [RSS]
music (3) [RSS]
Personal (27) [RSS]
Photos (8) [RSS]
Politics (8) [RSS]
Projects (22) [RSS]
Review (18) [RSS]
RPM (9) [RSS]
Spam (16) [RSS]
Technology (66) [RSS]
Testing (3) [RSS]
TV (15) [RSS]
video (32) [RSS]
Web Dev (218) [RSS]
World of Warcraft (16) [RSS]

2. "Use Application.cfc" to govern all requests made to your application;
3. Think long and hard about setting CFC function access="remote", and secure them via authentication as well.
4. Think like a thief.
Great post, you made me think about these issues again, and there's some stuff I need to go an lock down ...