 |
Breaking
eBusiness and Search News |
|
 |
Using Robust Exception Information On A Shared Host
I was recently contacted by a possible client who was looking for a code review.
As part of my standard "playing around" I noticed that his site was throwing errors with the full path information revealed. As folks know, I always recommend you turn off Show Robust Exception Information on a production machine.
There is no reason to use it in production and no reason you need if you use proper error handling. I informed the client of this (possible client, hope I get the job :) and he spoke with host. I was shocked by the response: I spoke with my CF web host, and they said they are the only ones who can disable Robust Exception Info in the CF Admin but that they won't do that because they use it to help clients debug their sites. I told him that they need a separate server (with it disabled) in addition to what appears to be this development server. Am I right? He claimed that users would only be able to find out the DNS (and snippets of code)...no security problem. I've used it, and I know it spits out quite a bit. I told him that a security expert told me I should disable it. He said he'd be glad to talk with you. What do you think? Well, it is certainly true that your host is the only one who can change this if you are using shared hosting. What I found shocking though was their refusal to turn it off and their reason. Yes - the robust exception information is very useful. But if you want to use this information - use it where it makes sense - development. Not a live production server where the information could be used against you.
Those "snippets of code" could reveal things. For example, have you ever seen code like this:
<!--- foo is a valid, back door password --->
<cfif authenticate(u,p) or form.password is "foo">
The host has access to the log files. Those could be checked instead. This involves minimal additional work on the host's part. If they argue that the logs contain information from other sites on the box, show them the filtering options.
I'm suggesting to my client that they use error handling for now to address the issue. I'm also suggesting that they possibly move to a new host.
Comments
View All Articles by Raymond Camden
Receive
Our Daily Email of Breaking eBusiness News
About the Author:
Raymond Camden, ray@camdenfamily.com
http://ray.camdenfamily.com
Raymond Camden is Vice President of Technology for roundpeg, Inc. A long
time ColdFusion user, Raymond has worked on numerous ColdFusion books
and is the creator of many of the most popular ColdFusion community web
sites. He is an Adobe Community Expert, user group manager, and the
proud father of three little bundles of joy.
 WebProNews RSS Feed
More Expert Articles Articles
Contact WebProNews |
|
|
 eBUSINESS
RESOURCES |
|
|
 |
|
| About
WebProNews |
WebProNews is the number
one source for eBusiness News. Over 5 million eBusiness professionals read
WebProNews and other iEntry business and tech publications.
WebProNews provides real-time coverage of internet
business.
Free Email Newsletters:
|
|
|
|
