I'm not quite sure I'd call this a security risk, but it is something you should be aware of. I typically use this line in my open source applications to ensure that debug information doesn't show up, even if the server has it enabled:
1 <cfsetting showDebugOutput="false">
This will suppress any debugging information from showing up in the browser. However - it doesn't seem to work with ColdFusion Ajax debugger. If the Ajax debugger is enabled in the ColdFusion Administrator and if you pass ?cfdebug=1 in the URL, it will always show up, even with the setting. (A bug is already filed with Adobe on this one.)
FYI - this was logged as bug 70324.
Comment 1 written by Nick on 15 August 2007, at 9:49 AM
Comment 2 written by Richard Davies on 15 August 2007, at 10:55 AM
Comment 3 written by Raymond Camden on 15 August 2007, at 11:06 AM
Comment 4 written by Richard Davies on 15 August 2007, at 12:06 PM
Comment 5 written by Raymond Camden on 15 August 2007, at 12:33 PM
Comment 6 written by Richard Davies on 16 August 2007, at 11:35 AM
I now realize that you meant that the AJAX debugging information is still appearing irregardless of the <cfsetting>. I apologize for my inability to read... ;-)
Comment 7 written by Raymond Camden on 16 August 2007, at 12:15 PM
[Add Comment] [Subscribe to Comments]