ColdFusion must have the Tomcat DefaultServlet debug parameter disabled.

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages must be carefully considered by the organization and development team. The release of Tomcat that comes with ColdFusion can be configured to output Tomcat-specific debug messages. If left enabled, these settings can expose sensitive data within error and log messages.

Review the debug parameter for the DefaultServlet and verify it is disabled. 1. Locate the web.xml file for each ColdFusion instance located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Open the web.xml file in a text editor. 3. Search for the following servlet definition: <servlet> <servlet-name>default</servlet-name> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> 4. Within this block, locate the <init-param> with the <param-name>debug</param-name> element. 5. Verify the corresponding <param-value> is set to 0. For example: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> If the debug parameter is set to any value other than 0, or is not explicitly defined, this is a finding.

Configure DefaultServlet to disable debug output. 1. Open the web.xml file located at: <ColdFusion_Installation_Directory>\cfusion\runtime\conf\web.xml 2. Locate the DefaultServlet definition and ensure the debug parameter is set as follows: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> 3. Save the changes and restart ColdFusion to apply the configuration.