logo

ELMAH Information Leak

  • Risk:
  • Medium

  • Type:
  • Active
Summary

The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information.

Solution

Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also: https://elmah.github.io/a/securing-error-log-pages/

References

https://www.troyhunt.com/aspnet-session-hijacking-with-google/

https://www.nuget.org/packages/elmah

https://elmah.github.io/

Free security scan for your website