Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62525 | CF11-06-000217 | SV-77015r1_rule | Medium |
Description |
---|
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. When the site-wide error handler is blank, information can be presented to an attacker that may expose the cause of exceptions. Having this information, the attacker can then begin attacking this error trying to get the server to fail and cause a DoS, expose PII, or gain access to server resources. A custom site-wide error handler should be created and used that discloses the same generic message to the user for all exceptions and the error must be logged so that the error can be investigated. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2015-11-02 |
Check Text ( C-63329r1_chk ) |
---|
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid. If the "Site-wide Error Handler" parameter is blank, this is a finding. If a template is specified, validate that the template exist. The path and file given are relevant to the web servers' document root directory and not the OS root directory. For example, if the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm If the "Site-wide Error Handler" setting is not a valid file, this is a finding. |
Fix Text (F-68445r1_fix) |
---|
Navigate to the "Settings" page under the "Server Settings" menu. Specify a custom and valid site-wide error handler and select the "Submit Changes" button. |