Information disclosure from host response

Issue

ColdFusion users have reported that under certain circumstances, the Tomcat server responds to requests with a verbose error report, which exposes limited technical information about the environment.

This issue can be resolved with the following workaround.

Workaround

  1. Stop ColdFusion server.

  2. Navigate to [Instance Home]\runtime\conf\server.xml.

    It is a good practice to back up server.xml before making changes.

  3. In the Host node, add the following

    <Valve  
                   className="org.apache.catalina.valves.ErrorReportValve" 
                   showReport="false" 
                   showServerInfo="false"  
    />

    You can also refer to the following Tomcat documentation:

  4. The updated server.xml file is shown below:

    <Host autoDeploy="false" appBase="webapps" name="localhost" unpackWARs="false"> 
        <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/> 
    . 
    . 
    . 
    </Host>
  5. Restart ColdFusion.

Custom error page

You can add a custom error page in ColdFusion (2018 release).

To customize the message, add the following:

errorCode.<Status Code>="Path to error page relative to the runtime folder"

For example, to customize a page for Error 500, add the following in <Valve/> in server.xml.

<Valve  
                className="org.apache.catalina.valves.ErrorReportValve"  
                showReport="false"  
                showServerInfo="false" 
                errorCode.500="../wwwroot/WEB-INF/exception/Error.html" 
/>

You must create the custom error page and place in the specified folder.

 Adobe

Pyydä apua nopeammin ja helpommin

Oletko uusi käyttäjä?

Adobe MAX 2024

Adobe MAX
Luovuuskonferenssi

14.–16.10. Miami Beach ja verkossa

Adobe MAX

Luovuuskonferenssi

14.–16.10. Miami Beach ja verkossa

Adobe MAX 2024

Adobe MAX
Luovuuskonferenssi

14.–16.10. Miami Beach ja verkossa

Adobe MAX

Luovuuskonferenssi

14.–16.10. Miami Beach ja verkossa