I was recently contacted by a possible client who was looking for a code review. As part of my standard "playing around" I noticed that his site was throwing errors with the full path information revealed. As folks know, I always recommend you turn off Show Robust Exception Information on a production machine. There is no reason to use it in production and no reason you need if you use proper error handling. I informed the client of this (possible client, hope I get the job :) and he spoke with host. I was shocked by the response:
I spoke with my CF web host, and they said they are the only ones who can disable Robust Exception Info in the CF Admin but that they won't do that because they use it to help clients debug their sites. I told him that they need a separate server (with it disabled) in addition to what appears to be this development server. Am I right? He claimed that users would only be able to find out the DNS (and snippets of code)...no security problem. I've used it, and I know it spits out quite a bit. I told him that a security expert told me I should disable it. He said he'd be glad to talk with you. What do you think?
Well, it is certainly true that your host is the only one who can change this if you are using shared hosting. What I found shocking though was their refusal to turn it off and their reason. Yes - the robust exception information is very useful. But if you want to use this information - use it where it makes sense - development. Not a live production server where the information could be used against you. Those "snippets of code" could reveal things. For example, have you ever seen code like this:
<!--- foo is a valid, back door password --->
<cfif authenticate(u,p) or form.password is "foo">
The host has access to the log files. Those could be checked instead. This involves minimal additional work on the host's part. If they argue that the logs contain information from other sites on the box, show them the filtering options.
I'm suggesting to my client that they use error handling for now to address the issue. I'm also suggesting that they possibly move to a new host.
Archived Comments
This may be a good post to demonstrate error handling (granularly or in application.cfc's onError) ;)
I've done so before (I'm pretty sure), but I can do another one later today, perhaps focusing on the 'super quick at least hide the crap' solution.
I haven't seen it mentioned before, but I think most developers have the same problem when it comes to error handling:
1) I need a verbose, 'show me everything that went wrong' PDF (or FlashPaper (for speed)) file, saved to the server. Something I can look at when I get home.
2) I need some basic information to 'get me thinking', sent to my phone (I have a Sprint Mogul that has weak HTML support).
The Coldfusion error types are conditional upon the type, and I found the docs and possibilities for error handling to be pretty complex.
Googling around, I did not see any detailed error handling functions out there. I'm sure someone has written one as part of a larger blog post on a separate problem, but I couldn't find this kind of handy "Util" when searching.
For reference, below are the CFCatch/CFTry docs (Note that the docs didn't even work when I tried 'em, per the comment):
http://livedocs.adobe.com/c...
http://livedocs.adobe.com/c...
Depend on edition of CF server.
If you use CF Enterprise edition with sandbox security, you would not worry about security problem.
Shaji - can you clarify your comment please? How does being on a cf server w/ sandbox security make 'Show Robust Exception Info' more secure?
FYI, Leaving robust exception on a production system to "help clients debug their sites", while helpful, is a massive security hole. Even if they are limiting the visibility to client's static IPs, the fact that said clients would easily see debugging info on all other clients on the same server is chilling and unacceptable. If you stick with this hosting provider, I would suggest putting <CFSETTING SHOWDEBUGOUTPUT="No"> in your application framework to provide a bit of protection for your site.
Matt, this isn't about debug info. This is about error info. It is not the same. You can, and should, restrict debug info to a particular IP. But the 'robust exception info' is NOT IP restricted.
Oops...apologies...I misread the post and assumed we were talking about the debugging setting.
Ray,
Sorry for not clarifying my previous comment. You mentioned "... site was throwing errors with the full path information revealed. .... always recommend you turn off Show Robust Exception Information on a production machine.".
If using CF Enterprise edition with enabled sandbox security, do not bother to turn off 'Show Robust...' on the live production server.
Keep it in mind that some of people (e.g. inexperienced developer or newbie) do not use an error handling at all time. This is one of reasons that some hosting providers won't turn it off and they allow their clients to debug their sites.
For CF Standard edition, 'Show Robust...' should be turned off. Worst part is that SQL error with the sql code information revealed even datasource name.
Eh? You say:
"If using CF Enterprise edition with enabled sandbox security, do not bother to turn off 'Show Robust...' on the live production server."
Why? Why is it less secure? Why is it less bad? As far as I know, the server edition desn't make it any less secure.