Uploaded image for project: 'Lucee Development'
  1. LDEV-1217

exception-message HTTP header presents security risk of information disclosure

    Details

    • Type: Enhancement
    • Status: Deployed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2.7.16
    • Labels:
      None
    • Sprint:
      March 2018

      Description

      Hitting an site with a URL like so can expose the actual error message even if a "public" error template is specified:

      http://mysite.com/Application.cfc?method=hackmycf
      

      It produces the following HTTP header which reveals the error message to a potential hacker:

      exception-message:component [tests.Application] has no remote function with name [hackmycf]
      

      I put a ticket in for Railo back in the day that related to this, but it was never finished as there was a config setting planned so the user could control this. Another idea is to output the header in the development error template. That way, changing to a "public" or custom error handler will make the header go away.

      Note, Pete Freitag's Hack My CF service scans for this header and reports it as a security issue.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                21solutions Igal Sapir
                Reporter:
                bdw429s Brad Wood
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: