Posted April 13, 2008 and filed under Security    tags:  , ,

It turns out that something very helpful can sometimes do some serious harm.  I'm talking about the javascripthandler web handler included in BlogEngine.NET.  This little gem of code helps compress and ccache javascript files serving up to your readers.  Included in this code is a simple instruction call that looks like:

public void ProcessRequest(HttpContext context)
  {
      string path = context.Request.QueryString["path"];
      string script = null;

      if (!string.IsNullOrEmpty(path))
      {
          if (context.Cache[path] == null)
          {
            if (path.StartsWith("http", StringComparison.OrdinalIgnoreCase))
              {
                  script = RetrieveRemoteScript(path);
              }
              else
              {
                  script = RetrieveLocalScript(path);
              }
          }
      }

The problem is that this but of code doesn't limit the path of the javascript file to a specific path, and doesn't even check if the filename requested is in fact javascript.  So the following syntax will display the most sensitive information of your blog:

*** REMOVED FOR SECURITY PURPOSES *** 

This of course assumes that you are using the XML membership provider included with BlogEngine.  This little trick also works with any other file in the app_data folder.  The reason this works is because the javascripthandler code is executed by the web service account and not the user making the request.

A simple change to the javascripthandler.cs file would correct this nasty little vulnerability:

if (!path.EndsWith("js", StringComparison.OrdinalIgnoreCase))
              return;

The problem is that you would have to recompile this and replace the BlogEngine.DLL file.  So for those who aren't comfortable with recompiling the dll I have done it for you and added it to this entry.  For the record I simply downloaded the source code, added the line to the javascripthandler.cs file and then recompiled.  So you just need to copy these files into your ~/bin folder and restart your application pool and web site.

BlogEngine Core-Patched.zip (238.04 kb)

Please install the latest BlogEngine.Core.DLL from the Releases page at the BlogEngine.Net homepage.  If you haven't done this already then do it right now!

If you liked this article why not share it with others?

Kick it up to DotNetKicks.com

Comments

Add comment


(Will show your Gravatar icon)

biuquote
Loading