<< Thank you MA2 Michael Monsoor | BlogEngine Alerts Subscription >>

BlogEngine Vulnerability Exposed

by Chris 4/13/2008 8:57:00 PM

It turns out that something very helpful can sometimes do some serious harm. I'm talking about the javascripthandler web handler included in BlogEngine.NET. This little gem of code helps compress and ccache javascript files serving up to your readers. Included in this code is a simple instruction call that looks like:

public void ProcessRequest(HttpContext context)
{
      string path = context.Request.QueryString["path"];
      string script = null;

      if (!string.IsNullOrEmpty(path))
      {
          if (context.Cache[path] == null)
          {
            if (path.StartsWith("http", StringComparison.OrdinalIgnoreCase))
              {
                  script = RetrieveRemoteScript(path);
              }
              else
              {
                  script = RetrieveLocalScript(path);
              }
          }
      }

The problem is that this but of code doesn't limit the path of the javascript file to a specific path, and doesn't even check if the filename requested is in fact javascript. So the following syntax will display the most sensitive information of your blog:

*** REMOVED FOR SECURITY PURPOSES ***

This of course assumes that you are using the XML membership provider included with BlogEngine. This little trick also works with any other file in the app_data folder. The reason this works is because the javascripthandler code is executed by the web service account and not the user making the request.

A simple change to the javascripthandler.cs file would correct this nasty little vulnerability:

if (!path.EndsWith("js", StringComparison.OrdinalIgnoreCase))
return;

The problem is that you would have to recompile this and replace the BlogEngine.DLL file. So for those who aren't comfortable with recompiling the dll I have done it for you and added it to this entry. For the record I simply downloaded the source code, added the line to the javascripthandler.cs file and then recompiled. So you just need to copy these files into your ~/bin folder and restart your application pool and web site.

~~BlogEngine Core-Patched.zip (238.04 kb)~~

Please install the latest BlogEngine.Core.DLL from the Releases page at the BlogEngine.Net homepage. If you haven't done this already then do it right now!

blogengine.net, patch, vulnerability

BlogEngine.NET | Security

OpenSSL Vulnerability (USN-612-1) Exposed An interesting article was posted on Technology Review that outlined a vulnerability with OpenSSL.&...Active Directory for BlogEngine.NET Membership ProviderSo you want to use Active Directory as your Membership Provider for BlogEngine.Net? Well you're in ...Theme dependencies in BlogEngine.NetI am happy to say that I completed my upgrade to BlogEngine.Net v1.3 without any major problems.&nbs...

Comments

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
b i u quote

Comment
Preview

Notify me when new comments are added

Powered by BlogEngine.NET Theme by Mads Kristensen Hosted by 1and1 Hosting Sign in
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way. © 2008 Chris Blankenship