High Risk: Security Vulnerability in BE Javascript handler

Apr 15, 2008 at 3:30 AM
Details are available in these posts!
http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/

FIX explained here
http://www.dscoduc.com/post/2008/04/BlogEngine-Vulnerability-Exposed.aspx

And I'm guessing this was the same reason for the hack on my blog a while back I reported
http://www.codeplex.com/blogengine/Thread/View.aspx?ThreadId=24131

Fix this issue ASAP


Before the fix

public void ProcessRequest(HttpContext context)
{
string path = context.Request.QueryString["path"];
string script = null;

if (!string.IsNullOrEmpty(path))
{
if (context.Cache[path] == null)
{
if (path.StartsWith("http", StringComparison.OrdinalIgnoreCase))
{
script = RetrieveRemoteScript(path);
}
else
{
script = RetrieveLocalScript(path);
}
}
}

After the fix

public void ProcessRequest(HttpContext context)
{
string path = context.Request.QueryString["path"];
string script = null;

if (!string.IsNullOrEmpty(path))
{
if (context.Cache[path] == null)
{
if (!path.EndsWith(".js", StringComparison.OrdinalIgnoreCase))
return;

if (path.StartsWith("http", StringComparison.OrdinalIgnoreCase))
{
script = RetrieveRemoteScript(path);
}
else
{
script = RetrieveLocalScript(path);
}
}
}


Thanks Chris for early notification!
Apr 15, 2008 at 4:12 AM
This has been fixed and the released 1.3 build has been updated.

For the record it wasn't me who discovered this flaw. I did, however, provide an immediate patched version of the core dll file on my blog. Now you can simply download the latest version from the source page and replace the DLL in your ~/Bin folder.

Also, I believe the BlogEngine admins removed an earlier post about this that outlined the actual flaw in order to minimize the number of people who know exactly how to exploit it. Not sure I agree with removing the post but I understand the reasons. I suspect this post will most likely get removed as well.
Apr 15, 2008 at 1:08 PM
Best practices is to hash passwords with a salt. If somebody says they prefer not to do this, the response should be "I prefer you not use our software." There is no excuse not to do this. And this vulnerability is EXACTLY WHY you do it this way.

For those who would say nobody can see the data folder, guess what... It just happened. Don't be stupid, sparky. Hash and salt.