Description

Application-level tracing enables trace log output for every page within an application. When the <trace> element is enabled for remote users (localOnly="false"), any user can view an detailed list of recent requests to the application simply by browsing to the page trace.axd.

Remediation

Check the <trace> element from web.config and ensure that enabled attribute is set to "False" and/or localOnly attribute is set to "true".

Example: <trace enabled="False" localOnly="True">

References

Related Vulnerabilities