ELMAH Information Leak

Risk:
Medium

Type:
Active

CWE:
94

Summary: The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Solution: Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/

References

https://www.troyhunt.com/aspnet-session-hijacking-with-google/

https://www.nuget.org/packages/elmah

https://elmah.github.io/