Welcome Guest! To enable all features please Login or Register.
Options
View
Go to last post Go to first unread
Offline Jaben  
#1 Posted : Monday, September 20, 2010 1:46:00 PM(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 10/9/2004(UTC)
Views messages in topic : 2,549
Location: United States

Thanks: 142 times
Was thanked: 358 time(s) in 199 post(s)
Please read up on the vulnerability here:

Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx

By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:

<customErrors defaultRedirect="Error.aspx" mode="On"/>

The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.

It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.

Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.

Edited by user Tuesday, October 5, 2010 11:37:21 AM(UTC)  | Reason: Not specified

thanks 2 users thanked Jaben for this useful post.
Kamyar on 9/21/2010(UTC), kingmanu on 11/27/2014(UTC)
Sponsor
Offline Jaben  
#2 Posted : Tuesday, September 28, 2010 8:46:19 PM(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 10/9/2004(UTC)
Views messages in topic : 2,549
Location: United States

Thanks: 142 times
Was thanked: 358 time(s) in 199 post(s)
Updates from Scott Gu about this issue: http://weblogs.asp.net/s...urity-vulnerability.aspx
Offline Jaben  
#3 Posted : Wednesday, September 29, 2010 9:19:18 AM(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 10/9/2004(UTC)
Views messages in topic : 2,549
Location: United States

Thanks: 142 times
Was thanked: 358 time(s) in 199 post(s)
Rss Feed  Atom Feed
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Icon
Error