Sploggers breaking in through security flaw

Topics: Controls
Feb 18, 2011 at 8:16 PM

I'm not a developer, but I'm responsible for managing a website with a blog powered by BlogEngine. Only registered members of the site may post comments. Sploggers are getting in and posting comments that look like registered members, but they're not. Our site management vendor says that sploggers are exploiting a flaw in the Blogimporter.asmx web service. Has anyone experienced this? Is there a fix? Or, is our site management vendor full of crap?

Thanks.

Feb 19, 2011 at 5:12 AM
Edited Oct 24, 2011 at 6:39 PM

Get their IP's and block them from the site.  That will slow them down till you can find a solution to fix the problem.

 

 

http://madskristensen.net/post/Block-IP-addresses-from-your-website.aspx

Java Blog

Feb 20, 2011 at 8:33 AM

According to security advisory from 07.Jan 2011 that I got:

  A security issue has been discovered in BlogEngine.NET, which can be exploited by malicious, local users to perform certain actions with escalated privileges.
  The vulnerability is caused due to the "api/BlogImporter.asmx" script not properly validating uploaded files via the "GetFile" function. This can be exploited to execute arbitrary ASP code by uploading an ASP file.

Solution is to upgrade to  BlogEngine.NET 2.0.

I do not find GetFile function call in BE 2.0 BlogImporter.cs code.

Coordinator
Feb 20, 2011 at 9:34 AM

In BE 2.0, in the App_Code folder is BlogImporter.cs.  Line 248 is the GetFile() function.  It can be seen online here.

If you think BlogImporter.asmx is causing a problem, you can delete BlogImporter.asmx from the API folder.  Then no one can access it.  It's only needed if you are importing blog data from a different blog system.

Looking at the GetFile() function in BE 1.6 vs BE 2.0, it looks like in 2.0, it is checking to make sure the username/password is valid.  In 1.6, it may not be doing this check ... however, I haven't tested it -- I'm just looking at the code.  GetFile() doesn't create comments or posts.  It downloads a file from the web and saves it to the file system.  This is not a good thing to be unsecured, but as you pointed out, in BE 2.0, it's locked down.

Feb 20, 2011 at 10:43 AM

Ben,

Besides BlogImporter, Secunia security advisor has BE TagCloud Widget Cross Site Scripting ( XSS ) vulnerability ( May 2010 ) :

 http://secunia.com/advisories/search/?search=blogengine

mentioned here in some discussions ( e.g "Cumulus TagCloud error" January 7 ).
I find no tagcloud.swf, can not reproduce XSS / javascript:alert attack example and assume this has been fixed in the meantime / BE release 2.0 ?

Coordinator
Feb 20, 2011 at 10:08 PM

I remember someone pointing out the Cumulus TagCloud vulnerability.  BE doesn't include/ship with the Cumulus TagCloud widget ... it's a widget someone created for BE.  The fix, I believe, is to HTML encode the data being sent from the widget to the TagCloud SWF.  This can be done in the BE widget.  We don't host the widget code, so cannot fix it.  If you use the Cumulus TagCloud widget, then you would want to edit the widget (either widget.ascx or widget.ascx.cs) to make sure it is doing the necessary HTML encoding.

Feb 22, 2011 at 3:44 PM
Edited Feb 22, 2011 at 3:45 PM

Thanks, KBDavis07. We started doing this a few days ago as a band-aid fix.

Feb 22, 2011 at 3:47 PM

Thanks also, mvincic & BenAmada. I'll pass this information along to our vendor. One final question. If we decide to upgrade to BlogEngine 2.0, will our customizations from 1.6 migrate over, or will we have to start from scratch?

Coordinator
Feb 23, 2011 at 8:24 AM

Any customizations you make outside the theme folder will unfortunately not carry over.  You'll need to reimplement the changes in BE 2.0.  Hopefully you made a list of changes you made!

If you made a lot of changes, and are unsure of what they are, you could use a file comparison tool like Beyond Compare to compare your modified BE 1.6 to the original BE 1.6 to see what you changed.  Beyond Compare is a great tool overall.

Mar 9, 2011 at 4:34 PM

You've all been very helpful. Now I have another one for you. We are having a problem with the blog crashing due to timeout issues. Our site management vendor says they're at their wit's end. Here's the code displayed after the crash. Has anyone had experience with this, and is there a fix?

Server Error in '/Blog' Application.
--------------------------------------------------------------------------------

A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

Stack Trace:


[SqlException (0x80131904): A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.)]
   System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) +578
   System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +84
   System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +1649271
   System.Data.SqlClient.SqlConnection.Open() +258
   BlogEngine.Core.Providers.DbBlogProvider.LoadSettings() +593
   BlogEngine.Core.Providers.BlogService.LoadSettings() +78
   BlogEngine.Core.BlogSettings.Load() +156
   BlogEngine.Core.BlogSettings..ctor() +96
   BlogEngine.Core.BlogSettings.get_Instance() +115
   BlogEngine.Core.Web.HttpModules.ReferrerModule..cctor() +114

[TypeInitializationException: The type initializer for 'BlogEngine.Core.Web.HttpModules.ReferrerModule' threw an exception.]

[TargetInvocationException: Exception has been thrown by the target of an invocation.]
   System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck) +0
   System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean fillCache) +146
   System.RuntimeType.CreateInstanceImpl(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean fillCache) +298
   System.Activator.CreateInstance(Type type, Boolean nonPublic) +79
   System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) +10364331
   System.Web.Configuration.Common.ModulesEntry.Create() +80
   System.Web.Configuration.HttpModulesSection.CreateModules() +230
   System.Web.HttpApplication.InitInternal(HttpContext context, HttpApplicationState state, MethodInfo[] handlers) +1162
   System.Web.HttpApplicationFactory.GetNormalApplicationInstance(HttpContext context) +312
   System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context) +133
   System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +196