ColdFusion Request Debugging information disclosure
Description
The ColdFusion web application has Request Debugging enabled, which exposes detailed diagnostic information to all users. When enabled, this feature appends comprehensive technical data to page responses, including ColdFusion version numbers, execution times, database queries, variable scopes, server configuration details, and application stack traces. This debugging functionality is intended for development environments only and should never be active in production systems.
Remediation
Disable the Request Debugging feature immediately in production environments by accessing the ColdFusion Administrator:
1. Log into the ColdFusion Administrator panel
2. Navigate to 'Debugging & Logging' > 'Debug Output Settings'
3. Uncheck 'Enable Robust Exception Information' and 'Enable Request Debugging Output'
4. Click 'Submit Changes' to apply the configuration
If debugging is required for troubleshooting, restrict access exclusively to trusted IP addresses:
1. In the same 'Debug Output Settings' page, locate the 'IP Addresses' section
2. Add only specific administrator IP addresses to the allowed list (e.g., 192.168.1.100)
3. Ensure the debugging output is enabled only for these restricted IPs
4. Remove IP restrictions once troubleshooting is complete
Verify the changes by accessing the application from an unauthorized IP address to confirm no debugging information is displayed.