Description

Application-level tracing enables trace log output for every page within an application. When the <trace> element is enabled for remote users (localOnly="false"), any user can view an detailed list of recent requests to the application simply by browsing to the page trace.axd.

Remediation

Check the <trace> element from web.config and ensure that enabled attribute is set to "False" and/or localOnly attribute is set to "true".

Example: <trace enabled="False" localOnly="True">

Related Vulnerabilities

WordPress Plugin BulletProof Security Information Disclosure (5.1)

X-Forwarded-For HTTP header security bypass

JBoss JMX Console Unrestricted Access

Rails application running in development mode

WordPress Plugin WP-Live Chat by 3CX Information Disclosure (8.0.28)

Severity

Medium

Classification

CWE-215 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Information Disclosure