UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ColdFusion site-wide error handler must be valid.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62525 CF11-06-000217 SV-77015r1_rule Medium
Description
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. When the site-wide error handler is blank, information can be presented to an attacker that may expose the cause of exceptions. Having this information, the attacker can then begin attacking this error trying to get the server to fail and cause a DoS, expose PII, or gain access to server resources. A custom site-wide error handler should be created and used that discloses the same generic message to the user for all exceptions and the error must be logged so that the error can be investigated.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2015-11-02

Details

Check Text ( C-63329r1_chk )
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid.

If the "Site-wide Error Handler" parameter is blank, this is a finding.

If a template is specified, validate that the template exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm

If the "Site-wide Error Handler" setting is not a valid file, this is a finding.
Fix Text (F-68445r1_fix)
Navigate to the "Settings" page under the "Server Settings" menu. Specify a custom and valid site-wide error handler and select the "Submit Changes" button.