elmah.axd information disclosure

Description
  • ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. It can be dynamically added to a running ASP.NET web application, or even all ASP.NET web applications on a machine, without any need for re-compilation or re-deployment. If ELMAH is not properly configured, the <strong>elmah.axd</strong> handler can be accessed without authorization. This page will list all the error messages generated by the web application and may disclose sensitive information to an attacker.
Remediation
  • Adjust web.config to deny access to this entity without proper authorization.<br/> <pre> <location path="elmah.axd"> <system.web> <authorization> <allow roles="Admin" /> <deny users="*" /> </authorization> </system.web> </location> </pre>
References