Maarten Balliauw

Maarten Balliauw

Loves web and HTTP, C#, Kotlin, Azure and application performance. Head of Developer Advocacy at JetBrains. Frequent speaker at and organizer of various community events. Likes brewing his own beer.

To all BlogEngine.NET users… Go patch!

Edit on GitHub

image This morning, I read about a serious security issue in BlogEngine.NET. The security issue is in the JavaScript HTTP handler, which lets all files pass trough... In short: if you open http://your.blog.com/js.axd?path=app_data\users,xml, anyone can see your usernames/passwords! None of the other HttpHandlers are affected by this security hole.

My recommendation: if you are using BlogEngine.NET: go patch!

(and yes, I patched it Cool  /js.axd?path=app_data\users.xml)

kick it on DotNetKicks.com

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment

avatar

0 responses

    You May Also Enjoy

    Test-Driving Windows 11 Dev Drive for .NET

    At Build 2023 back in June, Microsoft announced a new form of storage volume for Windows 11: Dev Drive. In October 2023, support for Dev Drive was shipped as a Windows Update and now available to anyone using the latest version of Windows 11. [Environment]::SetEnvironmentVariable(“npm_config_cache”, “$DevDrive\Pack... Read more »

    Provide opt-in to experimental APIs using C#12 ExperimentalAttribute

    When writing libraries and frameworks that others are using, it’s sometimes hard to convey that a given API is still considered “experimental”. For example, you may want to iterate on how to work with part of the code base with the freedom to break things, while still allowing others to consume that code if they are... Read more »