all the security talk somebody will have an answer.
I'd like to be able to completely (or as completely as possible) conceal
what technology is running my web application (with extensionless URLs,
renamed and/or encrypted CFID/CFTOKEN identifiers, modified web server
identification headers, etc.) I'm not trying to accomplish security through
obscurity; I view this as just an additional layer of abstraction. I'd like
to get rid of all information leaks that identify the web/app servers since
the user has no need for that information.
My question: on CFMX 6.1 if I feed in a query string containing an invalid
URL character encoding (like "%zz"), I get a 500 Internal Server Error
response back identifying itself as a JRun servlet error. For example,
requesting this:
>page.cfm?test=%zz
produces the response:
><head><title>JRun Servlet Error</title></head><h1>500 null</h1><body>
></body>
Is it possible to modify the error handler that is producing this response?
One solution that would deal with this situation as well as all other
responses not coming from within my application or my own error handler
would be to add a filter at the web server that checks all responses for a
certain custom header, and redirects/rewrites them if that header is not
present.
I've poked around in /CFusionMX/wwwroot/WEB-INF/web.xml, and I see the
following two entries, but they don't appear to correspond to the error I'm
getting back. I think those point to the standard templates for unhandled
errors within java/Cold Fusion.
><error-page>
> <exception-type>java.lang.Throwable</exception-type>
> <location>/WEB-INF/exception/java/lang/Exception.cfm</location>
></error-page>
><error-page>
> <error-code>500</error-code>
> <location>/WEB-INF/exception/java/lang/Exception.cfm</location>
></error-page>
Thanks,
Conan
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
