Elmah.axd is publicly accessible leaking Error Log

## Summary ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. If ELMAH is not properly configured, the **elmah.axd** handler can be accessed without authorization. This page will list all the error messages generated by the web application. ## Impact ## Impact May disclose sensitive information to an attacker, users cookies, IP addresses and more. ### Supporting Material/References: - https://hackerone.com/reports/962753 ## System Host(s) ██████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce ## Steps To Reproduce Go to https://█████████/elmah.axd From here you can download the entire log going to this [URL](https://██████████/elmah.axd/download). I found some errors that had sensitive information: - [Cookie](https://███████/elmah.axd/detail?id=8eb722b8-4628-421a-ad32-36c945e23e3b) (█████; ████; __RequestVerificationToken=██████-.. **truncated**) - Local paths (████████) - IP Address (███) ## Suggested Mitigation/Remediation Actions