I'm not quite sure I'd call this a security risk, but it is something you should be aware of. I typically use this line in my open source applications to ensure that debug information doesn't show up, even if the server has it enabled:
<cfsetting showDebugOutput="false">
This will suppress any debugging information from showing up in the browser. However - it doesn't seem to work with ColdFusion Ajax debugger. If the Ajax debugger is enabled in the ColdFusion Administrator and if you pass ?cfdebug=1 in the URL, it will always show up, even with the setting. (A bug is already filed with Adobe on this one.)
FYI - this was logged as bug 70324.
Archived Comments
70,000 bugs, man, CF IS DEAD!!
I just tried it on my local developer edition server and turning off the debugging output actually did work correctly, even with the AJAX debugger enabled...
But did you have ?Cfdebug=1 in the URL?
Yes, I did have ?cfdebug=1 in the URL.
Odd. My contact @ Adobe did verify it though.
After reading Sarge's blog post about this, I realized that I misunderstood your post. I thought you were indicating that the normal debugging information on the page wasn't being turned off with the setting when the page contained the AJAX debugger query parameter.
I now realize that you meant that the AJAX debugging information is still appearing irregardless of the <cfsetting>. I apologize for my inability to read... ;-)
Whew - thought I was crazy there. ;)