Description

Application-level tracing enables trace log output for every page within an application. When the element is enabled for remote users (localOnly="false"), any user can view an detailed list of recent requests to the application simply by browsing to the page trace.axd.

Remediation

Check the element from web.config and ensure that enabled attribute is set to "False" and/or localOnly attribute is set to "true".

Example:

Related Vulnerabilities

Adobe Experience Manager Misconfiguration

CodeIgniter session decoding vulnerability

Apache Tomcat version older than 7.0.30

Apache Axis2 administration console weak password

Apache server-status enabled

Severity

Medium

Classification

CWE-215 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

Tags

Configuration