Please read up on the vulnerability here:

Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx 

By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:

<customErrors defaultRedirect="Error.aspx" mode="On"/>

The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.

It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.

Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.

About Us

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Powered by Resharper Donate with PayPal button

Project Twitter Updates

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved