ColdFusion path disclosures
Description
This vulnerability occurs when ColdFusion error messages are displayed to users without proper error handling, revealing sensitive system information such as absolute file paths, server configuration details, and internal directory structures. These verbose error messages typically appear when application exceptions are not caught or when debugging output is enabled in production environments.
Remediation
Implement the following measures to prevent path disclosure:
1. Disable debugging output in production: In the ColdFusion Administrator, navigate to Debugging & Logging > Debug Output Settings and ensure debugging is disabled for production environments.
2. Configure custom error pages: Set up site-wide error handlers in Application.cfc to catch and handle exceptions gracefully:
<cfcomponent>
<cfset this.name = "YourApp">
<cffunction name="onError">
<cfargument name="exception" required="true">
<cfargument name="eventName" type="string" required="true">
<!-- Log the error internally -->
<cflog file="application" text="#exception.message#">
<!-- Display generic error to user -->
<cfinclude template="/errors/generic_error.cfm">
</cffunction>
</cfcomponent>3. Enable secure error handling: In ColdFusion Administrator, configure Settings > Error Handling to use custom error pages instead of default error templates.
4. Review and test: Audit all pages identified in the scan results and verify that error conditions display generic messages without revealing system paths or configuration details.