Whatever message this page gives is out now! Go check it out!
Information disclosure from host response
Last update:
May 18, 2026
Issue
ColdFusion users have reported that under certain circumstances, the Tomcat server responds to requests with a verbose error report, which exposes limited technical information about the environment.
This issue can be resolved with the following workaround.
Workaround
- Stop ColdFusion server.
- Navigate to [Instance Home]\runtime\conf\server.xml.It is a good practice to back up server.xml before making changes.
- In the Host node, add the following
<Valve
className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false"
/>- You can also refer to the following Tomcat documentation:
- Tomcat docs for configuring Valve - ColdFusion (2018 release)
- Tomcat docs for configuring Valve - ColdFusion (2016 release)
- The updated server.xml file is shown below:
<Host autoDeploy="false" appBase="webapps" name="localhost" unpackWARs="false">
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>
.
.
.
</Host>- Restart ColdFusion.
Custom error page
You can add a custom error page in ColdFusion (2018 release).
To customize the message, add the following:
errorCode.<Status Code>="Path to error page relative to the runtime folder"
For example, to customize a page for Error 500, add the following in <Valve/> in server.xml.
<Valve
className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false"
errorCode.500="../wwwroot/WEB-INF/exception/Error.html"
/>You must create the custom error page and place in the specified folder.
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Share additional feedback to help us improve.
0/255
|
