Welcome Guest! To enable all features please Login or Register.
Options
View
Go to last post Go to first unread
Offline Jaben  
#1 Posted : 20 September 2010 21:46:00(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 352 time(s) in 195 post(s)
Please read up on the vulnerability here:

Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx

By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:

<customErrors defaultRedirect="Error.aspx" mode="On"/>

The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.

It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.

Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.

Edited by user 05 October 2010 19:37:21(UTC)  | Reason: Not specified

thanks 2 users thanked Jaben for this useful post.
Kamyar on 21/09/2010(UTC), kingmanu on 27/11/2014(UTC)
Sponsor
Offline Jaben  
#2 Posted : 29 September 2010 04:46:19(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 352 time(s) in 195 post(s)
Updates from Scott Gu about this issue: http://weblogs.asp.net/s...urity-vulnerability.aspx
Offline Jaben  
#3 Posted : 29 September 2010 17:19:18(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 352 time(s) in 195 post(s)
Rss Feed  Atom Feed
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Icon
Error