Security Hotfix for BlogEngine.Core 1.3 build 05

April 17, 2008 by Mike van Zandwijk | Feedback (17)

security-alert** Immediate action required for 1.3 build 05 users **

UPDATE: ModPack 1.3.0 Service Release 1 includes the hotfix. So ignore this patch if you've downloaded ModPack after Apr-25 2008

Patch your ModPack (v1.3 build 05) installation to fix this critical security hole in the BlogEngine.Core. It impacts the BE.NET Core 1.2.023 to 1.3.029. Unfortunately, this includes ModPack's initial build used for the January 2008 launch.

Download Patch for ModPack 1.3.0 build 05 (starts the 70kb .zip file download directly)

For detailed how-to instructions and why you're urged to apply this patch as soon as possible, please read on.

High Risk Password Exposure if You Don't Patch Your Blog

Ha.ckers.org wrote about a serious vulnerability in the JavaScript handler on April 12. Turns out your username and password shows up in plain text if a visitor points its browser to /js.axd? [full URL undisclosed for safety reasons]

Danny Douglass noted this bugfix in BlogEngine.NET 1.3 build 029 which prevents access to your sensitive information. An alert ModPack community member pointed me to this fix, because ModPack's first release uses BE.NET 1.3.0 build 05.

If you run an unpatched blog instance, you also run this password exposure risk.

So patch now or upgrade to ModPack 1.3.0 Service Release 1 to protect your credentials!

How to Fix the Security Hole in Less Than 3 Minutes

Follow these 3 easy, but urgent steps to patch your ModPack installation.

  1. Download Patch for ModPack 1.3.0 build 05 (70kb .zip file)
  2. Extract the patched .DLL file (e.g. to your local drive)
  3. Replace your BlogEngine.dll file in /bin/ with this patch

Changing your password is optional, but at least the second best idea after voting for the encrypted passwords option on the BlogEngine.NET forum.

Please ask any questions in this dedicated forum thread or simply comment below.
Share your feedback so we can help you and you'll help your community.

Wanna Stay Safe After Getting Secure?

Once you've secured your blog by applying the ModPack patch, I hope you can and want to stay safe. Your ModPack team offers a zillion ways to keep you posted and in touch.

Of course you can get free ModPack updates and other developments the old school way:

Receive ModPack posts by email (I hate spam too, so nothing like that all)
Add ModPack Feed to your favorite RSS reader (usually 1 monthly post)

But if you're on Twitter, so is @ModPack ...

I'm very sorry for any trouble the security issue might have caused.

Yours Patchy,
@MikevZ

Currently rated 5.0 by 3 people

  • Currently 5/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5
Keywords   , , ,
Posted in   Hotfixes and Patches

Related posts

Comments

April 19. 2008 15:36

Ervin Ter

Thanks. I have patched it.

Ervin Ter

April 19. 2008 16:16

Mike van Zandwijk

Hi Ervin,

I'm sorry for any trouble the hole might have caused.
Thanks for your lightning fast update.

Happy (and secure) blogging again!

Mike van Zandwijk

December 14. 2008 17:05

Busby SEO Test

thanks for informing Laughing

Busby SEO Test

December 22. 2008 00:27

Busby SEO TEST

How did you manage to find the bug?

Busby SEO TEST

December 25. 2008 14:25

Busby SEO Test Pinay

Some are update and some are reported with those bug

Busby SEO Test Pinay

December 25. 2008 17:11

Busby SEO Test!!!

now BE becomes more powerful and has a little bugs

Busby SEO Test!!!

January 17. 2009 08:29

Busby SEO Test

thanks for the nice and great information
this blog was so really wonderful

Busby SEO Test

January 30. 2009 20:29

Bolsa de trabajo

Thanks for help.

Bolsa de trabajo

March 24. 2009 05:04

seo alaminos

this is a such a interesting blog...nice job

seo alaminos

March 24. 2009 06:01

articlecycle

A hotfix was originally the term applied to software patches that were applied to live i.e. still running systems. Similar use of the terms can be seen in Hot Swappable Disk Drives. Lately the term has been more generally used as described below.

The more recent usage probably originated due to Software vendors wanting to either avoid the term Patch or give the impression that they were proactively servicing their product.

A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a software product (i.e. a software bug). Typically, hotfixes are made to address a specific customer situation and may not be distributed outside the customer organization.

articlecycle

April 26. 2009 00:32

free insurance quotes

hmm... that's a good idea. thanks for informing.

free insurance quotes

May 15. 2009 15:15

Chris

Great job!! Go, go...

Chris

May 16. 2009 12:04

tukang nggame

Security hotfix nice.

tukang nggame

May 30. 2009 04:07

remote workforce

I just want you to know that you really made a nice review about BlogEngine.Net! Your post really contains an informational message that gave me a lot of knowledge about BlogEngine.

remote workforce

June 19. 2009 10:28

Ormoc City

Blog Engine is great!!! now I very like it, yeah
I learn a lot thanks for the sharing!!.

Ormoc City

June 24. 2009 06:32

my tech addict


Thanks a lot for writing some examples for each strategy because I could not understand what each strategy is without the examples.
The topic is really interesting.

my tech addict

June 25. 2009 07:56

school of bloggers



Before this, i had never listen about none of this technologies
and now is everything wired and working!

school of bloggers

Add comment


(Will show your Gravatar icon)  

  Country flag

[b][/b] - [i][/i] - [u][/u]- [quote][/quote]