Microsoft .NET Verbose Error Reporting Detection

info Nessus Network Monitor Plugin ID 5876
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote host may give an attacker information useful for future attacks

Description

The remote .NET server has enabled verbose error reporting. By default, such reports are only accessible via localhost (127.0.0.1). If enabled, remote attackers can gain useful information for future attacks. Information displayed includes: source code, stack trace, physical path of the application, error codes, and more. In addition, there have been flaws in the way that .NET 'ValidateRequest' handles malicious inputs.

Solution

Disable verbose error reporting in .NET applications

See Also

http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf

Plugin Details

Severity: Info

ID: 5876

Family: Data Leakage

Published: 3/31/2011

Updated: 1/15/2016

Dependencies: 1442