Details

    • Type: Bug
    • Status: Deployed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.5.5.006
    • Fix Version/s: 5.2.7.16
    • Labels:
      None
    • Environment:

      Lucee 4.5.5.006
      IIS 8.5
      2012R2
      TC8.5.23

    • Sprint:
      March 2018

      Description

      I’ve been using Foundeo’s excellent HackMyCF scanning tool since the Railo days and I have never been able to “fix” the scan result

      Server is returning exception-message header

      _The default error handler for Railo or Lucee will return a HTTP response header called exception-message with the exception error message. This header may contain information that should not be disclosed to the public such as file system paths or other information that should not be disclosed. Railo 4.2.1.004 partially fixes this by default. Configure your web server to remove or overwrite this header.
      More Information: http://jira.jboss.org/jira/browse/RAILO-3127_

      I know there was some work on this as noted in the jira link but it doesn’t seem to have progressed in Lucee

      update:
      fwiw. Pete Freitag suggested a workaround for IIS which works nicely

      <outboundRules>
      <rule name="RemoveExceptionMessage">
      <match serverVariable="RESPONSE_exception-message" pattern="^(.*)$" />
      <action type="Rewrite" value="" />
      </rule>
      </outboundRules>

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                21solutions Igal Sapir
                Reporter:
                JayB Jay Bigam
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: