1. Introduction
ELMAH (Error Logging Modules and Handlers) is an application error logging facility. A misconfigured ELMAH installation can allow unauthenticated attackers to view web requests, including sensitive information like Session IDs and full request variables. This impacts confidentiality of session data and potentially allows account takeover. Systems running ASP.NET applications with the ELMAH library installed are usually affected.
2. Technical Explanation
ELMAH is vulnerable when its security settings allow remote access to error logs via elmah.axd or errorlog.axd. This exposes detailed request information, including session cookies and other sensitive data. An attacker can directly access these pages without authentication if the configuration permits it.
- Root cause: The
- Exploit mechanism: An attacker sends a simple HTTP GET request to elmah.axd or errorlog.axd on the target server.
- Scope: ASP.NET applications using ELMAH versions prior to 1.2 are affected if not properly configured.
3. Detection and Assessment
Confirming vulnerability involves checking the web.config file for remote access settings, or directly attempting to access the error log pages.
- Quick checks: Examine the web.config file for the
- Scanning: Nessus plugin ID 36987 and OpenVAS scanner can detect this vulnerability. These are examples only, results may vary.
- Logs and evidence: Web server logs will show access attempts to elmah.axd or errorlog.axd if remote access is enabled.
type C:inetpubwwwrootweb.config | findstr "allowRemoteAccess" 4. Solution / Remediation Steps
Disable remote access to ELMAH error logs by modifying the web.config file.
4.1 Preparation
- This change requires a brief application restart to take effect. Approval may be needed depending on your organization’s change control process.
4.2 Implementation
- Step 1: Open the web.config file for the affected ASP.NET application in a text editor.
- Step 2: Locate the
section within the configuration file. - Step 3: Change the value of allowRemoteAccess to ‘0’. If the attribute does not exist, add it with a value of ‘0’.
- Step 4: Save the web.config file.
- Step 5: Restart the application or IIS for the changes to take effect.
4.3 Config or Code Example
Before
<elmah security allowRemoteAccess="1" />After
<elmah security allowRemoteAccess="0" />4.4 Security Practices Relevant to This Vulnerability
- Least privilege: Restricting access to sensitive information like error logs minimizes the impact of a potential breach.
- Secure defaults: Configuring systems with secure settings by default reduces the risk of accidental exposure.
4.5 Automation (Optional)
No automation script is provided due to the simplicity and low-risk nature of this change.
5. Verification / Validation
Confirm the fix by checking the web.config file again, and attempting to access the error log pages should now result in an unauthorized error.
- Post-fix check: Run `type C:inetpubwwwroot
web.config | findstr “allowRemoteAccess”` and confirm it shows allowRemoteAccess=”0”. - Re-test: Attempt to access elmah.axd or errorlog.axd in a web browser. You should receive an HTTP 403 Forbidden error.
type C:inetpubwwwrootweb.config | findstr "allowRemoteAccess" 6. Preventive Measures and Monitoring
- Baselines: Include a check for secure ELMAH configuration in your ASP.NET security baseline or policy.
- Pipelines: Consider using static analysis tools to scan web.config files for insecure settings during the build process.
- Asset and patch process: Regularly review application configurations, including ELMAH settings, as part of a routine security assessment.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Disabling remote access may hinder troubleshooting if error logs are needed remotely. Ensure alternative logging mechanisms are in place.
- Roll back: Restore the original web.config file from backup. Restart the application or IIS to revert the changes.
8. References and Resources
- Vendor advisory or bulletin: https://code.google.com/archive/p/elmah/wikis/SecuringErrorLogPages.wiki
- NVD or CVE entry: No specific CVE is associated with this configuration issue, but it’s related to information disclosure vulnerabilities in ELMAH.
- Product or platform documentation relevant to the fix: https://elmah.github.io