May 18, 2007 (This post is more than 2 years old.)

ColdFusion Security Reminder - Read me now

coldfusion

I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production server:

In the ColdFusion Admin, Debug Settings, turn off Enable Robust Exception Info.
In the ColdFusion Admin, Settings, set a site-wide error handler. You only need to do this if you didn't bother to use onError or <cferror>. You don't need a pretty page. You can just say 'Error!' and be done. This is still 10x better than exposing an error page to your user.

The above changes will take you - approximately - 2 minutes. So please do this.... now.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by Chad G. posted on 5/18/2007 at 6:51 PM

Ray,

In the CF Admin it says:
Specify the relative path to a template to execute when ColdFusion encounters errors while processing a request.

Relative path to what?

Comment 2 by Raymond Camden posted on 5/18/2007 at 7:30 PM

Web root.

Comment 3 by Chad G. posted on 5/18/2007 at 7:35 PM

I should have been more specific.

Web root of the CFAdmin? Each web root in IIS?

Thanks Ray!

Comment 4 by Bash posted on 5/18/2007 at 8:06 PM

It is relative to the default web site's root. If you have multiple web roots/sites and need a different page for each site you will have to create a default error page and use some redirection/includes to display the appropriate one. There are a couple examples out there I just can't remember where they are at the moment, but Gogle search will probably pull them up.

We have individual servers for our intranet and extranet (obviously for access reasons), but we have two sites on each box. We install CF to the default site and have the actual intranet/extranet as its own site. That way we can limit access to the CFIDE,admin, etc. and just copy over any script files we need for the actual site.

Anyway, because of this we have multiple web roots. What I did was create a mapping in the CF admin then I use that in my default error templates paths.

So, if you have multiple site roots just create a cf mapping to a folder that will hold your error page(s) and if necessary use some url path detection to pull in the desired page.

Hope all of that makes sense.

Comment 5 by DK posted on 5/18/2007 at 8:09 PM

Another good one if you are using cf7 is to take the time to read charlie areharts article on sandbox security. At the very least disabling CFExecute and CFRegistry (if you are not making use of them), it takes about 30 seconds, and makes security auditors sleep better at night :)

p.s. earlier versions of CF(5 and older) disabled the administrator if you disabled CFRegistry.

Comment 6 by Dan Sorensen posted on 5/18/2007 at 8:21 PM

I assume that it's ok to have my site wide error handler email me the necessary info (since that's done on the server side), while I just display a simple error to the end user.

Comment 7 by Ryan posted on 5/18/2007 at 9:05 PM

What are your thoughts on emailing yourself a dump of the exception struct in email, which is unsecured, while showing the user a friendly message?

Comment 8 by Raymond Camden posted on 5/18/2007 at 10:29 PM

I'd have no problem emailing the error. I wouldn't email credit card info. :)

Dan: Thats what I do. Well no, that isn't. I use cferror/onError. That to me is more specific to my application. I recommend the Site Wide Error thing as its better than nothing and covers your whole box.

Does that make sense?

Comment 9 by Aaron Longnion posted on 5/18/2007 at 10:43 PM

thanks for the reminder, Ray.

here's my errorHandler.cfm, what do you think?
http://cfzen.instantspot.co...

Comment 10 by Raymond Camden posted on 5/18/2007 at 11:10 PM

I just took a quick glance but seems ok to me. I need to standardize my own emails sometime. Perhaps in a cfe snippet.

Comment 11 by david posted on 5/20/2007 at 9:34 AM

funny, right after i read this I tab over to cf-talk on houseoffusion.com and I got this error:

(image link)
http://kamaimedia.com/funny...

Comment 12 by Joshua Curtiss posted on 5/22/2007 at 9:42 PM

Ray, thanks for the reminder. I have FINALLY implemented a site-wide error handler for my intranet at work.

I encountered some <a href="http://blog.nazin.com/index...">interesting issues</a> with config file handling, due to the special behavior of site-wide error handlers. Got it taken care of though.

Comment 13 by Michael Dinowitz posted on 5/25/2007 at 10:58 AM

An error in a sitewide error handler will cause the original error to show as if the sitewide error handler did not exist (as seen from the HoF example above)

Comment 14 by Joshua Curtiss posted on 5/25/2007 at 5:30 PM

Yeah, that can be a handy way to "abort" your error handler under certain situations, like I described in my blog post, i.e. if it can detect that you are on a development box.

Just last night I got an email from my error handler for a page that used cfabort... I haven't looked into it yet but... will cfabort trigger the site-wide error handler???? If so, that is bad... I use cfabort from time to time, putting some logic at the top of a page and abort if certain conditions aren't met....

Comment 15 by Raymond Camden posted on 5/26/2007 at 7:07 AM

Yep, I've seen that before. If you look at the exception type though, you will notice a specific string for cfabort. You can look for - and ignore - that error.

Support this Content!

Archived Comments

Webmentions