ColdFusion debug information using Mode=debugProducts affected
ColdFusion allows you to see important debug information by placing a URL parameter mode=debug in any ColdFusion URL. Learn about this and how to turn it off.
You can turn on the viewing of debug information by using the debug settings page in the ColdFusion Administrator. You can also restrict the debug information to certain IP addresses. Another option available is to use a URL parameter mode=debug. The URL would look like this www.allaire.com?mode=debug. This URL will display debug information whether you have debug information turned on or off in the administrator.
The above settings are valuable tools while developing and maintining a ColdFusion site. One of the areas you will want to be aware of is that anyone can enter mode=debug onto an URL and see the debug information. The information is not a direct security risk but could help someone with bad intentions. In order to eliminate the ability for anyone to type mode=debug you should do the following:
- Go into Debugging IPs in the ColdFusion Administrator.
- Go to the box that states: Restrict debug output to selected IP addresses.
- Enter only one IP Address - 127.0.0.1.
- Click Add.
- Click Apply.
- Restart ColdFusion.
Note: The links and steps for adding IP addresses for debug output vary slightly between versions of ColdFusion, so the steps above may need to be adjusted based on the version being configured.
Adding specific IP addresses will restrict the use of mode=debug. This should be done on all production machines.
Doc ID
(tn_17642)
Last updated
2008-05-22
Products affected
