Information disclosure from host response

Issue

ColdFusion users have reported that under certain circumstances, the Tomcat server responds to requests with a verbose error report, which exposes limited technical information about the environment.

This issue can be resolved with the following workaround.

Workaround

  1. Stop ColdFusion server.

  2. Navigate to [Instance Home]\runtime\conf\server.xml.

    It is a good practice to back up server.xml before making changes.

  3. In the Host node, add the following

    <Valve  
                   className="org.apache.catalina.valves.ErrorReportValve" 
                   showReport="false" 
                   showServerInfo="false"  
    />

    You can also refer to the following Tomcat documentation:

  4. The updated server.xml file is shown below:

    <Host autoDeploy="false" appBase="webapps" name="localhost" unpackWARs="false"> 
        <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/> 
    . 
    . 
    . 
    </Host>
  5. Restart ColdFusion.

Custom error page

You can add a custom error page in ColdFusion (2018 release).

To customize the message, add the following:

errorCode.<Status Code>="Path to error page relative to the runtime folder"

For example, to customize a page for Error 500, add the following in <Valve/> in server.xml.

<Valve  
                className="org.apache.catalina.valves.ErrorReportValve"  
                showReport="false"  
                showServerInfo="false" 
                errorCode.500="../wwwroot/WEB-INF/exception/Error.html" 
/>

You must create the custom error page and place in the specified folder.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online