Coldfusion JSP 404 errors cause JRun errors instead of IIS

Hi there -

We had a vulnerability test done, and our coldfusion content was dinged for showing detailed JRun error messages. Except we don't... unless you go to a nonexistent JSP file on the server, or something nonexistent inside the /servlet folder.

If you do that, you get a very ugly 404 and stacktrace from JRun:

/ThisIsReallyRidiculous.jsp /ThisIsReallyRidiculous.jsp
      at jrun.servlet.file.FileServlet.service(
      at jrun.servlet.ServletInvoker.invoke(
      at jrun.servlet.JRunInvokerChain.invokeNext(
      at jrun.servlet.JRunRequestDispatcher.invoke(
      at jrun.servlet.ServletEngineService.dispatch(
      at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(
      at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(

Here's the text of the report:

Vulnerability: ISAPI services enabled on

Description: ISAPI filters and extensions are used to modify or enhance the functionality provided by IIS. Some versions of IIS enable unnecessary filters and extensions by default, and these services have been shown to be historically insecure. It is considered good security practice to remove unneeded components, especially those with a poor track record.

Vulnerability: Verbose Jrun error messages enabled on,, and

Description: A detailed JRun error message was discovered. Detailed error messages can include diagnostics, path and OS information, software versions, and other sensitive information of use to attackers.

None of the suggestions we were given by the consultant helped resolve the problem. Does anyone have any suggestions on getting rid of this thing?

Our environment is CF8 & IIS 2003

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You could try catching it with CFError and logging it internally with a custom error page. That's pretty odd that you get a exception, possible its a cf8 bug with robust exceptions ignoring that type of nested exception. Is that the whole trace?
You might try the suggestions here:

ie  Add the following to your web.xml file and restart the cf server.  I believe you can use exception-type or error-code and obviously whatever error page you want.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

> Some other sites that have the same problem:

That's a little embarrassing...  there's no .cfm error page handler either.  

Anyway, try the suggestion above.  It should do the trick. I assume you already have separate 404 handlers for your cf apps.
kcmurphy1Author Commented:

I had that the code from the first link in both default-web.xml and web.xml, but the one using exception-type was only in default.

Copying it to web.xml made it work.

Looks like error-code and exception-type are definitely not interchangeable, or maybe error-code simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally throwing a code instead of generating a real exception)

Thanks again!
> Looks like error-code and exception-type are definitely not interchangeable, or maybe error-code
> simply doesn't work. (If I had to guess I'd say error-code only applies when you're intentionally
> throwing a code instead of generating a real exception)

You could be right. I only tested exception-type. So that's good too know.  
kcmurphy1Author Commented:
Yeah. Chicago Fed has one, but I'm a bit surprised the other three don't.

Pity you can't put something to make it bubble properly back up to the cfm level or the IIS level. The only way I could find to make IIS not send it on to JRun was to remove the wildcard extension, and that ended up breaking CF for some reason.

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.