Check: CF11-06-000222
Adobe ColdFusion 11 STIG:
CF11-06-000222
(in versions v2 r1 through v1 r2)
Title
The ColdFusion error messages must be restricted to only authorized users. (Cat II impact)
Discussion
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
Check Content
Within the Administrator Console, navigate to the "User Manager" page under the "Security" menu. Review each defined user and ask the SA if the user should have access to read error messages. For each user that should not be able to read error messages, review the roles assigned to the user account. If any user has the Debugging and Logging>Logging role that should not be able to read error messages, this is a finding.
Fix Text
Navigate to the "User Manager" page under the "Security" menu. Remove the "Debugging and Logging>Logging" role from each user that should not have access to read error messages.
Additional Identifiers
Rule ID: SV-237231r641788_rule
Vulnerability ID: V-237231
Group Title: SRG-APP-000267-AS-000170
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001314 |
Reveal error messages only to organization-defined personnel or roles. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |