Asp.Net Vulnerability and DotNetBlogEngine?

Topics: ASP.NET 2.0
Sep 20, 2010 at 10:05 PM

I Didn't see a post about it here, ScottGu has written about the vulnerability here:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Does BlogEngine.Net need patching? I just patched mine just incase

Sep 22, 2010 at 3:21 PM

My feeling is that you would have to do this. From looking at your blog post it seems that DotNetBlogEngine will send you to the same url regardless which is part of the fix but this doesnt resolve the other two factors:

  1. Server error code 404 would be returned if a 404 error happens
  2. The random time delay wouldn't be in place which stops hackers being able to discern the error without having a code to go by