Stack Trace Disclosure (ColdFusion)
Description
The application exposes detailed stack trace information when errors occur, revealing internal implementation details about the ColdFusion environment. Stack traces typically include sensitive technical information such as physical file paths, code structure, framework versions, database connection details, and internal method calls. This information disclosure occurs when the application fails to properly handle exceptions and displays raw error messages directly to users instead of presenting generic error pages.
Remediation
Implement proper exception handling to prevent stack traces from being displayed to end users:
1. Configure ColdFusion error handling:
In your Application.cfc file, implement custom error handling:
<cfcomponent>
<cfset this.name = "YourApplication">
<cffunction name="onError" returnType="void">
<cfargument name="exception" required="true">
<cfargument name="eventName" type="string" required="true">
<!--- Log the error details for debugging --->
<cflog file="application_errors"
type="error"
text="#arguments.exception.message# - #arguments.exception.detail#">
<!--- Display generic error message to user --->
<cfinclude template="/errors/generic_error.cfm">
</cffunction>
</cfcomponent>2. Disable debugging output in production:
In ColdFusion Administrator, ensure that debugging is disabled for production environments under Debugging & Logging settings.
3. Configure custom error pages:
Set up site-wide error templates in ColdFusion Administrator or use the cferror tag:
<cferror type="exception" template="/errors/exception.cfm"> <cferror type="request" template="/errors/request.cfm">
4. Implement proper logging:
Log detailed error information to secure server-side log files that are not accessible via web requests, ensuring developers can still troubleshoot issues without exposing information to users.