Description

An ASP.NET diagnostic page was found in this directory. Usually, such files are installed by developers to help them in testing their code or debug various parts of the application. This page discloses a lot of potentially sensitive information, such as: the list of environment variables, trace information, request details, list of server variables.

It's recommended to restrict access to this file.

Remediation

Adjust web.config to deny access to this entity without proper authorization.

<location path="dump.aspx">
  <system.web>
    <authorization>
      <allow roles="Admin" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

References

ASP.NET Diagnostic page to dump ASP.NET and Environment configuration

Related Vulnerabilities

Clickjacking: CSP frame-ancestors missing

ASP.NET expired session IDs are not regenerated

WordPress Plugin Backup Migration Arbitrary File Download (1.3.6)

WordPress Plugin NextGEN Gallery-WordPress Gallery Information Disclosure (1.9.11)

Insecure Transportation Security Protocol Supported (TLS 1.1)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Information Disclosure