Risk Level | Number of Alerts |
---|---|
High
|
0
|
Medium
|
1
|
Low
|
0
|
Informational
|
0
|
Name | Risk Level | Number of Instances |
---|---|---|
ELMAH Information Leak | Medium | 1 |
Medium |
ELMAH Information Leak |
---|---|
Description |
The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.
|
URL | http://127.0.0.1:8000/elmah.axd |
Method | GET |
Parameter | |
Attack | |
Evidence | HTTP/1.0 301 Moved Permanently |
Instances | 1 |
Solution |
Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/
|
Reference |
https://www.troyhunt.com/aspnet-session-hijacking-with-google/
https://www.nuget.org/packages/elmah https://elmah.github.io/ |
CWE Id | 94 |
WASC Id | 14 |
Plugin Id | 40028 |