ColdFusion must have AJAX Debug Log Window disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62529	CF11-06-000219	SV-77019r1_rule		High

Description
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Allowing the AJAX Debug Log Window to be enabled allows a user to send AJAX debug messages back to a client. The log data sent is meant to be used in a development environment and used to fix errors in AJAX code. Once the application is developed and is moved to production, debugging is not needed and this feature must be disabled.

Description

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. Allowing the AJAX Debug Log Window to be enabled allows a user to send AJAX debug messages back to a client. The log data sent is meant to be used in a development environment and used to fix errors in AJAX code. Once the application is developed and is moved to production, debugging is not needed and this feature must be disabled.

STIG	Date
Adobe ColdFusion 11 Security Technical Implementation Guide	2017-12-31

Details

Check Text ( C-63333r1_chk )
Within the Administrator Console, navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. If "Enable AJAX Debug Log Window" is checked, this is a finding.

Fix Text (F-68449r1_fix)
Navigate to the "Debug Output Settings" page under the "Debugging & Output Settings" menu. Uncheck "Enable AJAX Debug Log Window" and select the "Submit Changes" button.