Assistance Required: Information Disclosure Issue in Log Viewer Endpoint

odaysaed · December 10, 2025, 3:13pm

Dear Doconut Team,

I hope you are doing well.

We are currently conducting a security assessment on our environment and have identified a potential Information Disclosure vulnerability related to the following endpoint:

/viewer/DocImage.axd

Based on the penetration testing report, this endpoint appears to expose internal operational details such as:

Product and version information (e.g., Doconut 1.0.3.8), it also appears in Doconut 25.9.0.0
Access timestamps
Page counts
Viewer type
Environment-related information

This data exposure allows external parties to fingerprint the system and correlate internal activity, which could be leveraged for targeted attacks.

We would highly appreciate your guidance on the following points:

What is the recommended approach to restrict or secure access to the /DocImage.axd endpoint?
Is there an available configuration or update to disable log/details exposure from this handler in production environments?
If the endpoint is required for viewer functionality, what is the best practice to enforce authentication and role-based authorization?
Are there any patches, security settings, or documentation that address this specific scenario?

Please advise on the proper remediation steps to ensure the endpoint does not expose sensitive operational details while maintaining required viewer functionality.

Thank you for your support. We look forward to your guidance.

Kind regards,

gabriel.vega · December 11, 2025, 1:10pm

@odaysaed

Thank you for reaching out.

To prevent exposure of internal information such as product version or other details, please ensure that the following DoconutOptions settings are explicitly configured:

1. .NET Framework (web.config)

Add or update the following keys in your web.config:

<appSettings>
    <add key="DoconutUnSafeMode" value="false" />
    <add key="DoconutShowInfo" value="false" />
</appSettings>

2. .NET Core / .NET 6+ (Program.cs or Startup.cs)

For applications running on .NET Core or .NET 6 and higher, configure the Doconut middleware for the DocImage.axd route as follows:

app.MapWhen(
    context => context.Request.Path.ToString().EndsWith("DocImage.axd"),
    appBranch =>
    {
        appBranch.UseDoconut(new DoconutOptions
        {
            UnSafeMode = false,
            ShowDoconutInfo = false
        });
    });