ELMAH (Error Logging Modules and Handlers) is an application-wide error logging facility that is completely pluggable. If ELMAH is not properly configured, the elmah.axd handler can be accessed without authorization. This page will list all the error messages generated by the web application.
Go to $URL From here you can download the entire log going to this URL. I found some errors that had sensitive information:
- Cookie (ss-pid=nRWaLI079kORwvV5HN/tgw==; ASP.NET_SessionId=REDACTED-.. truncated)
- Local paths (REDACTED)
- IP Address (REDACTED)
May disclose sensitive information to an attacker, users cookies, IP addresses and more.