Description
The configuration file (web.config) of this web application contains an authorization section that is missing a deny rule. A deny rule is required to deny access to all the other users. ASP.NET includes by default an allow all rule that is evaluated last and if a deny rule is missing this allow all rule will be evaluated last.
This is an example of a vulnerable configuration:
<authorization> <allow users="admin"/> </authorization>
Remediation
It's recommended to add a deny rule. This is an example of a safe configuration:
<authorization> <allow users="admin"/> <deny users="*"/> </authorization>