Please read up on the vulnerability here:
Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx
By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:
<customErrors defaultRedirect="Error.aspx" mode="On"/>
The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.
It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.
Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.
Edited by user
| Reason: Not specified