elmah.axd Detected
- CWE 425
- WASC 34
ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment. If ELMAH is not properly configured, the elmah.axd handler can be accessed without authorization. This page will list all the error messages generated by the web application and may disclose sensitive information to an attacker such as:
- Session cookies
- Session state
- Query string and post variables
- Physical path of the requested file
Remediation
Apply the following changes in your web.config file to disable remote access to the Elmah.axd:
<elmah>
<security allowRemoteAccess="no"/>
</elmah>
You can also adjust web.config to deny access to this entity without proper authorization.
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Admin">
<deny users="*">
</deny></allow></authorization>
</system.web>
</location>
Go Back to List
Search Vulnerability
You may also see
- Readable .htaccess file
- apc.php page
- Webalizer script
- phpinfo page
- Apache perl-status Enabled
- Apache server-info Enabled
- Apache server-status Enabled
- JetBrains .idea project directory
- AWStats script
- elmah.axd Detected
- Core dump checker PHP script
- trace.axd Detected
- .DS_Store file
- Macromedia Dreamweaver database scripts
- Help file
- robots.txt Detected
- Sitemap Detected
- crossdomain.xml Detected
- Silverlight Client Access Policy
- Laravel log file
- Code Repository
- Configuration File
- Administration page
- Predictable Resource Location
- Code Repository
- Configuration File
- Administration page