Welcome Guest! To enable all features please
Login or Register.
Please read up on the vulnerability here:
Ref article:
http://weblogs.asp.net/s...urity-vulnerability.aspx By default with v1.9.1.x and later of YAF has customErrors set to either "On" or "RemoteOnly" with a redirect to "Error.aspx" page:
<customErrors defaultRedirect="Error.aspx" mode="On"/>
The Error.aspx does not include any specific error information such as: "404" or "500" that would allowing attackers to figure out what the server is doing.
It does provide an optional internal error message from YAF which is very specific and doesn't include any general error information.
Basically, YAF is not at risk with it's default configuration. But if you've modified the configuration to show customErrors, we strongly suggestion you turn custom errors back on.
Edited by user
2010-10-05T17:37:21Z
|
Reason: Not specified
Forum Jump
- You cannot post new topics in this forum.
- You cannot reply to topics in this forum.
- You cannot delete your posts in this forum.
- You cannot edit your posts in this forum.
- You cannot create polls in this forum.
- You cannot vote in polls in this forum.
Important Information:
The YAF.NET Support Forum uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close