Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-62531 | CF11-06-000220 | SV-77021r1_rule | High |
Description |
---|
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. The option to enable request debugging output is another tool that a developer can use during the development phase of the hosted application. This feature appends debugging information to the end of each CFML request. Once a hosted application is moved from the development phase to production, the need for debug information is no longer valid. |
STIG | Date |
---|---|
Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-06-15 |
Check Text ( C-63335r1_chk ) |
---|
Within the Administrator Console, navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. If "Enable Request Debugging Output" is checked, this is a finding. |
Fix Text (F-68451r1_fix) |
---|
Navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. Uncheck "Enable Request Debugging Output" and select the "Submit Changes" button. |