cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Securing GraphData.cfm

yui8979
Explorer ,
Apr 08, 2013 Apr 08, 2013

Recently, some security audit testers have insisted that the error screen NOT BE SHOWN when /CFIDE/GraphData.cfm is called. They obtained the URL from one of our graph reports, which usually have a query string appended to it when called with CFCHART.

The resulting page is as attached, a Jrun Servlet Error 500 Internal Server Error page. They have categorized this under "Weaknesses in Error Handling mechanism" and insist that it should be improved.

Screenshot - 9_4_2013 , 11_42_13 AM.png

My question is :

Without messing about with

1) IIS MOD REWRITE, or

2) Engage complicated methods to generate a CFCHART image (ie generate CFCHART, save it to a temporary directory, and re-displaying it without going through GraphData.cfm)

Is there a way to get Coldfusion to not display this error when the URL in question is called?

921
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
Dan_Bracuk
LEGEND ,
Apr 09, 2013 Apr 09, 2013

You can write an onError() function in your Application.cfc file. 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
yui8979
Explorer ,
Apr 09, 2013 Apr 09, 2013
In Response To Dan_Bracuk

Site handlers have been tried unsuccessfully. If you've noticed, the call to GraphData.cfm is via Coldfusion's own /CFIDE/.

Why doesn't Adobe just handle the error properly since it is the one that created the GraphData.cfm alias?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
pete_freitag
Enthusiast ,
Apr 10, 2013 Apr 10, 2013
LATEST
In Response To yui8979

Since this error is thrown from a Servlet not CFML the CFML error handlers won't work.  You would need to use the error handling capabilities of the Servlet engine, eg add a custom error-page tag to the web.xml file, see: http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet12.htm

--

Pete Freitag

Foundeo Inc. Makers of HackMyCF and FuseGuard

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices