Elmah.axd / Errorlog.axd Detected
Description
ELMAH (Error Logging Modules and Handlers) is an error logging framework for ASP.NET applications that captures unhandled exceptions and application errors. When improperly configured, the ELMAH diagnostic interface (typically accessible via elmah.axd or errorlog.axd) can be accessed without authentication, exposing detailed error logs to unauthorized users. These logs often contain sensitive information including stack traces, database connection strings, file paths, user input data, and session identifiers that should remain confidential.
Remediation
Restrict access to the ELMAH handler by implementing authorization controls in your application's web.config file. Follow these steps:
1. Add location-specific authorization rules:
Add the following configuration to your web.config to restrict access to administrators only:
<location path="elmah.axd">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
2. Alternative: Disable remote access entirely:
If ELMAH is only needed for local debugging, configure it to deny all remote access:
<elmah> <security allowRemoteAccess="false" /> </elmah>
3. Verify the configuration:
After applying changes, test access to elmah.axd while logged out to confirm unauthorized users receive an access denied error. Consider removing ELMAH entirely from production environments if error logging can be handled through alternative secure mechanisms.