This morning, I read about a serious security issue in BlogEngine.NET. The security issue is in the JavaScript HTTP handler, which lets all files pass trough... In short: if you open http://your.blog.com/js.axd?path=app_data\users,xml, anyone can see your usernames/passwords! None of the other HttpHandlers are affected by this security hole.
My recommendation: if you are using BlogEngine.NET: go patch!
(and yes, I patched it 
/js.axd?path=app_data\users.xml)
