Information Medium Vega has detected content that corresponds to verbose debugging output from a ColdFusion server. This output can contain sensitive information which could make other attacks easier. System configuration settings, absolute file paths, and other information may be disclosed. If Robust Exception Information is enabled, this data could include SQL statements and detailed information about the application error. The error itself may indicate a vulnerability. ColdFusion can and should be configured to limit the output of debug data when errors occur. This is managed in the ColdFusion Administrator, the "Debugging and Logging" section. For production servers, the ColdFusion 9 Lockdown Guide recommends disabling "Robust Exception Information". For production servers, the ColdFusion 9 Lockdown Guide recommends disabling "AJAX Debug Log Window". For production servers, the ColdFusion 9 Lockdown Guide recommends disabling "Request Debugging Output". If absolutely necessary, ColdFusion can be configured to restrict debugging output to specific IP addresses. This can be also be managed from the ColdFusion Administrator, on the Debugging IP Addresses page. The developers should investigate the error to ensure that it is not linked to a security vulnerability. Vega has detected content that matches the verbose error data output by servers running ColdFusion configured to send debug data to remote clients. The information in this output is sensitive: it can include absolute system paths, system configuration settings, information about the application code structure, system patchlevels, database queries, and database configuration settings. For production servers, it is strongly recommended that the debug output configuration options be disabled. The ColdFusion 9 lockdown guide recommends turning all of the settings off and provides instructions for doing so. The information obtained from this error page could increase the likelihood of success of another attack. Finally, the error itself should be investigated for security implications. ColdFusion 9 Lockdown Guide (Adobe) Using the ColdFusion Administrator: Debugging and Logging section Information Leakage (OWASP) Information Leakage (WASC)