Securing GraphData.cfm

Forum|Forum|13 years ago
April 9, 2013
1 reply
1008 views

Recently, some security audit testers have insisted that the error screen NOT BE SHOWN when /CFIDE/GraphData.cfm is called. They obtained the URL from one of our graph reports, which usually have a query string appended to it when called with CFCHART.

The resulting page is as attached, a Jrun Servlet Error 500 Internal Server Error page. They have categorized this under "Weaknesses in Error Handling mechanism" and insist that it should be improved.

My question is :

Without messing about with

1) IIS MOD REWRITE, or

2) Engage complicated methods to generate a CFCHART image (ie generate CFCHART, save it to a temporary directory, and re-displaying it without going through GraphData.cfm)

Is there a way to get Coldfusion to not display this error when the URL in question is called?

This topic has been closed for replies.

D

Dan_Bracuk

Inspiring

You can write an onError() function in your Application.cfc file.

Y

yui8979Author

Inspiring

Site handlers have been tried unsuccessfully. If you've noticed, the call to GraphData.cfm is via Coldfusion's own /CFIDE/.

Why doesn't Adobe just handle the error properly since it is the one that created the GraphData.cfm alias?

pete_freitag

Participating Frequently

Since this error is thrown from a Servlet not CFML the CFML error handlers won't work. You would need to use the error handling capabilities of the Servlet engine, eg add a custom error-page tag to the web.xml file, see: http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet12.htm

--

Pete Freitag

Foundeo Inc. Makers of HackMyCF and FuseGuard

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded