Securing Elmah in ASP.NET website

Question

I am having trouble trying to secure ELMAH. I have followed Phil Haacked's tutorial, with the only difference being the demo project is a web application and my project is a website.

   <add verb="POST,GET,HEAD" path="/admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />

   <location path="admin">
        <system.web>  
            <authorization>  
                <deny users="?"/>  
            </authorization>  
        </system.web> 
    </location>

With the leading "/" I receive the response that "The resource cannot be found.", if I remove the leading "/" everything works fine except authentication can be bypassed by appending a directory name in front of /admin/elmah.axd.

For example without the leading "/"

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - does not trigger the authentication and displays ELMAH

How can I ensure that ELMAH is secure while maintaining the ability to remotely view the log?

Thanks.

Note to others:
Following Alan's answer below results in the following.

www.mysite.com/admin/elmah.axd - triggers the authentication
www.mysite.com/admin/asdasdasd/elmah.axd - triggers the authentication
www.mysite.com/asdasdasd/admin/elmah.axd - The resource cannot be found. (exactly what we wanted)

score 70 · Accepted Answer · edited Feb 01 '15 at 19:08

70

I played around with the web.config and got the following to work. Basically instead of putting the elmah.axd HttpHandler in the general system.web, add it specifically in the system.web of your "admin" path location.

<location path="admin">
    <system.web>
        <httpHandlers>
            <add verb="POST,GET,HEAD" path="elmah.axd"
                 type="Elmah.ErrorLogPageFactory, Elmah" />
        </httpHandlers>
        <authorization>
            <deny users="?"/>
        </authorization>
    </system.web>
</location>

edited Feb 01 '15 at 19:08

Lorenzo

29,081
49
125
222

answered Aug 10 '09 at 16:29

Alan

922
8
6

9

if you are using asp.net mvc don't forget to add: routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}"); – santiagoIT Aug 30 '11 at 02:51
Issues about security and ***ELMAH***: http://geeks.ms/lruiz/2014/07/21/asp-net-revisa-la-configuracin-de-elmah-en-produccin/ – PreguntonCojoneroCabrón Jun 25 '16 at 10:11

score 25 · Answer 2 · answered Oct 14 '10 at 23:32

25

If you are using ASP.NET MVC, you're going to need to have the routing engine ignore that path. If you want to move elmah to /admin/elmah.axd for instance you should add the following to Global.asax.cs:

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");

answered Oct 14 '10 at 23:32

aarondcoleman

536
7
9

This solved my problem on MVC, but I guess the original question was not about ASP.NET MVC. – pauloya Feb 05 '11 at 18:19
+1 for specifying MVC specific fix. Worked for me in MVC3. Without it @Alan's answer will not work in MVC. – N30 May 13 '11 at 21:34
@Paulo, The question doesn't specify Webforms or MVC. ASP.NET is the basis for both, so included this extra bit you'd need for MVC. – aarondcoleman Aug 17 '12 at 01:09
@aarondcoleman since this is not a direct answer to the question (as you noted yourself) you should either add it as a comment to the question, or the answer, or edit the accepted answer to add the MVC bit. You shouldn't just put it as an answer on its own since it is incomplete as an answer on its own and just causes weird results of upvotes that exceed the accepted answer votes, without direct justification. – Ofer Zelig Oct 27 '14 at 02:21

score 17 · Answer 3 · answered Jun 07 '11 at 16:56

Having spent a while trying to get this to work by patching together the various bits of advice from each of the answers, I've put together a complete solution that should work for all flavours of IIS.

Here's what needs to be in each of your web.config sections:

<configuration>
  <configSections>
    <sectionGroup name="elmah">
      <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
      <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
      <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
      <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
    </sectionGroup>
  </configSections>

  <elmah>
    <!-- set allowRemoteAccess="0" for extra security -->
    <security allowRemoteAccess="1"/>
  </elmah>

  <system.web>
    <httpModules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
    </httpModules>
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
    </modules>
  </system.webServer>

  <location path="admin">
    <system.web>
      <authorization>
        <!--<allow users="Admin" /> -->
        <deny users="?" />
      </authorization>
      <httpHandlers>
        <add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
      </httpHandlers>
    </system.web>
    <system.webServer>
      <handlers>
        <add name="Elmah" path="elmah.axd" verb="POST,GET,HEAD" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
      </handlers>
    </system.webServer>
  </location>

</configuration>

And if you're using Asp.Net MVC, add

routes.IgnoreRoute("admin/elmah.axd/{*pathInfo}");

in your RegisterRoutes method.

score 1 · Answer 4 · answered Aug 12 '10 at 12:59

1

In IIS 7.5 windows server 2008, there is another section called system.webServer. In order for ELMAH to work, this had to be added:

<system.webServer>
  <handlers>
   <add name="Elmah" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" /> 
  </handlers>
</system.webServer>

I've tried a few variances, but I am unable to use the above solution for preventing '/blah/elmah.axd' from working.

Any Suggestions on making the above solution work for IIS 7.x?

Thanks.

answered Aug 12 '10 at 12:59

InvisibleMan1002

11
1

Once I removed the elmah.axd from my httpHandlers section of system.web and from handlers under system.webserver, I now get 404 error. I have my location path="admin" exactly like what Alan suggested. Running IIS 7.5. – InvisibleMan1002 Aug 12 '10 at 20:06
@Dan Atkinson that is a inaccurate statement. If you host in IIS 7+ you must register HttpHandlers and HttpModules in the `system.webServer` config section. – Chris Marisic Apr 02 '11 at 01:25
@ChrisMarisic: You know, you're absolutely right! I have retracted (deleted) my earlier statement. Thank you for correcting me. :) – Dan Atkinson Apr 02 '11 at 10:54
You need to add the system.webserver to the location section – Rune FS Jun 20 '11 at 07:05

Securing Elmah in ASP.NET website

4 Answers4

Linked