Lucee Stacktrace Information Disclosure
Description
The Lucee web application server is configured to display detailed error stack traces to end users. When application errors occur, these stack traces expose sensitive technical information including internal file system paths, application structure, server configuration details, environment variables, and code execution flow. This verbose error handling is typically enabled during development but should be disabled in production environments.
Remediation
Disable verbose error reporting and stack trace display in production environments by configuring Lucee's error handling settings. In the Lucee Administrator, navigate to Settings > Error and set the error template to a custom error page that displays generic error messages to users while logging detailed errors server-side. Alternatively, modify the Application.cfc file to configure error handling programmatically:
component {
this.name = "YourApplication";
// Disable detailed error output
this.customTagPaths = [];
this.errorSettings.template = "/path/to/custom-error.cfm";
// Or use onError handler
function onError(exception, eventName) {
// Log detailed error information server-side
writeLog(file="application", text=exception.message & " " & exception.detail);
// Display generic error to user
include "/path/to/generic-error.cfm";
}
}Ensure all detailed error information is logged to secure server-side log files accessible only to authorized administrators, not displayed to end users.