Whoooo, damn....thank god for RSS. Yesterday Danny Douglas posted a serious security issue concerning Blogengine.NET where people could access my website credentials by accessing the JavaScript HttpHandler via a browser and requesting my users.xml.

View my security hole here:

So I thought, why do I also have this issue, i did still have the .xml file there, but I thought that i actually didn't need it, because my website is running on a MySQL database, using the MySQL Provider that i found here. So i would have expected that the my user credentials where stored inside this MySQL database. Ofcourse the first thing was changing my passwords! After that i threw away my users_xml file in the app_data directory. But that resulted in the fact that my website couldn't be reached anymore.

So i applied that fix that could be found on Danny's site, but that resulted in the following error:

Exception for missing MySQL provider

I then added the following code to the RetrieveLocalScript.cs file, as described on Danny's Blog, which was added by Mads Kristensen last sunday

   4: private static string RetrieveLocalScript(string file)

   5: {

   6:     if( !file.EndsWith( ".js", StringComparison.OrdinalIgnoreCase ) )

   7:     {

   8:         throw new System.Security.SecurityException( "No access" );

   9:     }

 

I then compiled it, and BINGO! A new SecurityException was thrown!:


Security issue fixed

You can find more about the security issue here:

http://dannydouglass.com/post/2008/04/BlogEngine-and-the-JavaScript-HttpHandler-Serious-Security-Issue.aspx

And you can find the new patch, which includes the MySQL provider and the adjusted RetrieveLocalScript() method here: 

BlogEngine.Core.zip (77,87 kb)

So make sure you apply Danny's patch or apply my patch when you're using MySQL as a datasource and don't have the Blogengine.NET source code!

Hope this is usefull, at least my credentials are save again Tongue out

gr.

Robbert 

Digg It!DZone It!StumbleUponTechnoratiRedditDel.icio.usNewsVineFurlBlinkList