Description

Application-level tracing enables trace log output for every page within an application. When the <trace> element is enabled for remote users (localOnly="false"), any user can view an detailed list of recent requests to the application simply by browsing to the page trace.axd.

Remediation

Check the <trace> element from web.config and ensure that enabled attribute is set to "False" and/or localOnly attribute is set to "true".

Example: <trace enabled="False" localOnly="True">

Related Vulnerabilities

JBoss BSHDeployer MBean

HTTP verb tampering

Yii2 Gii extension

Verb tampering via misconfigured security constraint

AWStats script

Severity

Medium

Classification

CWE-215 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

Tags

Configuration