bigtoga
(Awaiting Buddy Approval)
|
| None Specified |
|
Friday, March 10, 2006
|
|
Friday, September 11, 2009 8:39:11 AM
|
332
[0.97% of all post / 0.23 posts per day] |
|
0
|
|
1
|
|
1
|
 View All Posts by User
Jaben wrote:Yes -- but you'll need to modify the web.config to support IIS v7.0 integrated mode. Or just set the YAF application pool's Managed Pipeline Mode to "classic". Just changed a bit for clarity 
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
I guess no one has done this - have you continued? I would assume you would need to turn off url rewriting.
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
I suppose you could also more easily modify the stored proc's default param value from false to true - that's actually better IMO. Original: Code:
ALTER procedure [dbo].[yaf_topic_delete] (@TopicID int,@UpdateLastPost bit=1,@EraseTopic bit=0)
New: Code:
ALTER procedure [dbo].[yaf_topic_delete] (@TopicID int,@UpdateLastPost bit=1,@EraseTopic bit=1)
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
I'm just coming around to this issue myself... I'm still on 1.90 RC2 which has no IsDeleted column. When you delete a topic, by default it sets the Flags column in 1.90 to "8" which means "deleted". In the source, if you change topic_delete (in yaf.DB to include this line, it will erase the topic: Code:cmd.Parameters.AddWithValue("@EraseTopic", true);
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
Here's what I've been able to work out: 0 = means "live" - show it to guests, members, etc 1 = "live" but locked 8 = deleted You can run this to add this as documentation in the database: Code:EXEC sys.sp_addextendedproperty @name=N'MS_Description'
, @value=N'0 = "live" topic, 1 = locked but "live", 8 = deleted'
,@level0type=N'SCHEMA', @level0name=N'dbo'
, @level1type=N'TABLE', @level1name=N'yaf_topic'
, @level2type=N'COLUMN', @level2name=N'Flags'
GO
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
Jaben wrote:I'm aware of this security issue. But remember, you have to go to someone's site who is trying to hack you and click submit.
In v1.9.3 we put a check in so that you cannot post from other sites. If this is a big concern to anyone else -- I can give them the line of code that can fix this issue for other versions.
Given you have to go to a malicious site and click submit -- it doesn't seem like a high risk flaw.
Now, the fact that you had a recent hacking attempt is more troubling. If you could PM me ANY details on this hacking attempt I would appreciate. What was attempted? What did they gain access to?
-Jaben Can you post the code for the part that prevent XSS?
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
CSharpHeaven wrote:Do the contributors of this project have a fulltime job and only work partime on YAF? Yes.
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
Neven wrote:I see a new bullet with our name on next to it on next version of Xrunner  Just kidding.  I think it's great news!:d rofmlao Great news, guys - congrats to all I feel validated in a funny sort of way. Our hard work gets to make GoDaddy even more money
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
Guys - while I applaud the contribution, let me just tell you from experience that this will have probably less than a 5% effect on stopping spam. Sorry. I've been running my own captcha'ed version of YAF since April and it is virtually worthless. I've removed it in my next "release" that I'm adding out there. I used Jeff atwood's captcha (search for my earlier posts) and, even though Jeff's captcha is awesome, captchas are ineffective. Sorry 
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
just so everyone knows, the latest script kiddie tools can defeat this as well (or claim to). AFAIK there's only one technique that is fool proof EDIT: "Fool proof" being a time-sensitive term, of course!
Check out my implementation of YAF: http://forums.learnsqlserver.com/. I am also a SQL Server and .NET trainer over at http://www.learnitfirst.com |
|