YAF.NET Support Forum

Welcome Guest! To enable all features please Login or Register.
ASP.NET Vulnerability and YAF
Options
View
Go to last post Go to first unread
Previous Topic Next Topic
Offline Jaben  
#1 Posted : 20 September 2010 21:46:00(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 354 time(s) in 196 post(s)
Please read up on the vulnerability here:

Ref article: http://weblogs.asp.net/s...urity-vulnerability.aspx

By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:

<customErrors defaultRedirect="Error.aspx" mode="On"/>

The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.

It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.

Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.

Edited by user 05 October 2010 19:37:21(UTC)  | Reason: Not specified

UserPostedImage
Back to top
thanks 2 users thanked Jaben for this useful post.
Kamyar on 21/09/2010(UTC), kingmanu on 27/11/2014(UTC)
Sponsor
Back to top  

Wanna join the discussion?! Login to your YAF.NET Support Forum forum accountor Register a new forum account.
Back to top  
Offline Jaben  
#2 Posted : 29 September 2010 04:46:19(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 354 time(s) in 196 post(s)
Updates from Scott Gu about this issue: http://weblogs.asp.net/s...urity-vulnerability.aspx
UserPostedImage
Back to top
Offline Jaben  
#3 Posted : 29 September 2010 17:19:18(UTC)
Jaben


Rank: YAF Developer

Reputation:

Medals: Medal of Honor Key: Given to pillars of the community who are key players in the YAF community and project.YAF.NET Supporter: Loves YAF.NET!YAF.NET Supporter: Supports our efforts. Thank you.Medal of Honor for the Support King: Given to a community member who tirelessly answers tons of support questions.

Joined: 09/10/2004(UTC)
Posts: 2,544
Location: United States

Thanks: 142 times
Was thanked: 354 time(s) in 196 post(s)
UserPostedImage
Back to top
Rss Feed  Atom Feed
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET 2.2.4.14 | YAF.NET © 2003-2018, Yet Another Forum.NET
This page was generated in 0.064 seconds.

Notification

Icon
Error

About

The YAF.NET is an open source .NET forum project. YAF.NET is supported by an team of international developers who are build community by building community software.

Project Twitter Updates

Contact Us

Email: Email Contact

Stay Connected

Powered by Resharper

Copyright © YetAnotherForum.NET & Ingo Herbote. All rights reserved Privacy Policy