Jaben
  • Posts: 2544
  • Joined: 09/10/2004
Please read up on the vulnerability here:

Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx 

By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:

<customErrors defaultRedirect="Error.aspx" mode="On"/>

The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.

It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.

Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.
Sponsor
Jaben
  • Posts: 2544
  • Joined: 09/10/2004
Updates from Scott Gu about this issue: http://weblogs.asp.net/s...urity-vulnerability.aspx 
Jaben
  • Posts: 2544
  • Joined: 09/10/2004
Users browsing this topic
    Forum Jump  
    • You cannot post new topics in this forum.
    • You cannot reply to topics in this forum.
    • You cannot delete your posts in this forum.
    • You cannot edit your posts in this forum.
    • You cannot create polls in this forum.
    • You cannot vote in polls in this forum.

    About Us

    The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

    Powered by Resharper Donate with PayPal button

    Project Twitter Updates

    Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved