I am using Elmah as error logging system in asp.net web form project. But in elmah any one can read error log by pasting /elmah.axd in the url
And I can not check authorization because I am not using ASP.NET Membership.
asked Oct 23, 2013 at 13:47
Venom
1,1061 gold badge11 silver badges23 bronze badges
-
1Are you using any type of authorization? It's easy enough to secure elmah just by setting an auth cookie as stated in this post. You don't need anything complicated or even a database to make this work.MikeSmithDev– MikeSmithDev2013年10月23日 14:01:33 +00:00Commented Oct 23, 2013 at 14:01
2 Answers 2
Can you lock it down with IP security (IIS7 +)?
<location path="elmah.axd">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<!--
See http://code.google.com/p/elmah/wiki/SecuringErrorLogPages for
more information on using ASP.NET authorization securing ELMAH.
-->
</system.web>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" >
<add ipAddress="127.0.0.1" allowed="true"/>
</ipSecurity>
</security>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
answered Oct 25, 2013 at 12:58
SilverlightFox
33.8k12 gold badges85 silver badges154 bronze badges
Sign up to request clarification or add additional context in comments.
Comments
I've found that the easiest option is to change the elmah.axd bits in the web.config to something else that no one will guess. Eg myerrors.axd (obviously choose something more obscure).
Then only you know what the page name is to view the errors....
Comments
default