This project is read-only.

Security Issue

Oct 20, 2014 at 7:22 PM
I have been using BlogEngine 2.8 on two of my websites as subsites under my main MVC sites (Ie. On both sites now, all of a sudden a new blog instance was created and hundreds of spammy pages were generated with lots of links to unrelated webiste. Also, google informed me that they would take action on spammy backlinks to my site from numerous nefarious websites that all of a sudden had backlinks to the spammy pages created on the blog instance.

I have no idea how someone is gaining access to blogs. My passwords are strong 15 character random text passwords. Is there a security flaw here?
Oct 20, 2014 at 8:46 PM
  1. go to admin -> content -> blogs and delete spam blog(s).
  2. delete blog(s) from directory where they created (app_data/blogs).
  3. edit /account/create-blog.aspx.cs so that "page_load" method looks like this:
protected void Page_Load(object sender, EventArgs e) 
  if (!BlogSettings.Instance.CreateBlogOnSelfRegistration || !Blog.CurrentInstance.IsPrimary)
This should clean thing up and prevent from generating new blogs.
It was fixed but some older blogs like in your case let users register and create new blog even if this feature don't turn on.