Security Hotfix for BlogEngine.Core 1.3 build 05

April 17, 2008 by Mike van Zandwijk | Feedback (2)

security-alert ** Immediate action required for 1.3 build 05 users **

UPDATE: ModPack 1.3.0 Service Release 1 includes the hotfix. So ignore this patch if you've downloaded ModPack after Apr-25 2008

Patch your ModPack (v1.3 build 05) installation to fix this critical security hole in the BlogEngine.Core. It impacts the BE.NET Core 1.2.023 to 1.3.029. Unfortunately, this includes ModPack's initial build used for the January 2008 launch.

Download Patch for ModPack 1.3.0 build 05 (starts the 70kb .zip file download directly)

For detailed how-to instructions and why you're urged to apply this patch as soon as possible, please read on.

High Risk Password Exposure if You Don't Patch Your Blog

Ha.ckers.org wrote about a serious vulnerability in the JavaScript handler on April 12. Turns out your username and password shows up in plain text if a visitor points its browser to /js.axd? [full URL undisclosed for safety reasons]

Danny Douglass noted this bugfix in BlogEngine.NET 1.3 build 029 which prevents access to your sensitive information. An alert ModPack community member pointed me to this fix, because ModPack's first release uses BE.NET 1.3.0 build 05.

If you run an unpatched blog instance, you also run this password exposure risk.

So patch now or upgrade to ModPack 1.3.0 Service Release 1 to protect your credentials!

How to Fix the Security Hole in Less Than 3 Minutes

Follow these 3 easy, but urgent steps to patch your ModPack installation.

Download Patch for ModPack 1.3.0 build 05 (70kb .zip file)
Extract the patched .DLL file (e.g. to your local drive)
Replace your BlogEngine.dll file in /bin/ with this patch

Changing your password is optional, but at least the second best idea after voting for the encrypted passwords option on the BlogEngine.NET forum.

Please ask any questions in this dedicated forum thread or simply comment below.
Share your feedback so we can help you and you'll help your community.

Wanna Stay Safe After Getting Secure?

Once you've secured your blog by applying the ModPack patch, I hope you can and want to stay safe. Your ModPack team offers a zillion ways to keep you posted and in touch.

Of course you can get free ModPack updates and other developments the old school way:

Receive ModPack posts by email (I hate spam too, so nothing like that all)
Add ModPack Feed to your favorite RSS reader (usually 1 monthly post)

But if you're on Twitter, so is @ModPack ...

I'm very sorry for any trouble the security issue might have caused.

Yours Patchy,
@MikevZ

Currently rated 5.0 by 2 people

Currently 5/5 Stars.
1
2
3
4
5

Keywords		mp1305, security, hotfix, js.axd
Posted in		Hotfixes and Patches

New Service Release: Grasp 1.3.0 SR1 NowGet ModPack 1.3.0 Service Release 1 for better security and faster installation10 Short Answers to ModPack FAQFrequently Asked Questions about ModPack with 10 short and quick answersAbout ModPackFind out why you might need ModPack, what your benefits are and how you can easily set up with step ...

Comments

April 19. 2008 15:36

Thanks. I have patched it.

Ervin Ter

April 19. 2008 16:16

Hi Ervin,

I'm sorry for any trouble the hole might have caused.
Thanks for your lightning fast update.

Happy (and secure) blogging again!

Mike van Zandwijk

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
Country Country flag

Comment* [b][/b] - [i][/i] - [u][/u]- [quote][/quote]

Notify me when new comments are added

ModPack for BlogEngine.NET

Security Hotfix for BlogEngine.Core 1.3 build 05

High Risk Password Exposure if You Don't Patch Your Blog

How to Fix the Security Hole in Less Than 3 Minutes

Wanna Stay Safe After Getting Secure?

Related posts

Comments

Add comment

Search it, Baby!

Free subscription

Latest Posts

Topic Explorer

Categories

Monthly Archive

Community talk

On Twitter