I know I've blogged this before, and it's covered in my security checklist, but folks, stop what you are doing and make these changes right now on your production server:
- In the ColdFusion Admin, Debug Settings, turn off Enable Robust Exception Info.
- In the ColdFusion Admin, Settings, set a site-wide error handler. You only need to do this if you didn't bother to use onError or <cferror>. You don't need a pretty page. You can just say 'Error!' and be done. This is still 10x better than exposing an error page to your user.
The above changes will take you - approximately - 2 minutes. So please do this.... now.