Security update failed...

Topics: Controls
Feb 2 at 6:31 PM
I am getting the following error when copying the 3.2 patch to 3.1.1.7
A route named 'DefaultApi' is already in the route collection. Route names must be unique.
Parameter name: name

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.ArgumentException: A route named 'DefaultApi' is already in the route collection. Route names must be unique.
Parameter name: name

Line 6:      {
Line 7:          var app = (HttpApplication)sender;
Line 8:          BlogEngineConfig.Initialize(app.Context);
Line 9:      }
Line 10:         

Source File: c:\officeclip\BlogEngine.Net_3.1\Project\BlogEngine\BlogEngine.NET\Global.asax    Line: 8 
It could be some web.config settings I guess, anybody had this issue before?
Coordinator
Feb 3 at 2:03 AM
The patch is for 3.2 only and not supposed to work with 3.1.

To fix 3.0 or 3.1 you need to add authorization check in users repository:

https://blogengine.codeplex.com/SourceControl/changeset/view/ffae32908083#BlogEngine/BlogEngine.Core/Data/UsersRepository.cs
This is in the Core library, so you'll have to use Visual Studio, make change and compile BlogEngine.Core.dll

The change is in the SaveProfile method.

From:
public bool SaveProfile(BlogUser user)
{
  return UpdateUserProfile(user);
}
To:
public bool SaveProfile(BlogUser user)
{
  if (Self(user.UserName) && !Security.IsAuthorizedTo(Rights.EditOwnUser))
    throw new UnauthorizedAccessException();

  if (!Self(user.UserName) && !Security.IsAuthorizedTo(Rights.EditOtherUsers))
    throw new UnauthorizedAccessException();

  return UpdateUserProfile(user);
}

bool Self(string id)
{
  return id.Equals(Security.CurrentUser.Identity.Name, StringComparison.OrdinalIgnoreCase);
}
Feb 4 at 3:09 PM
Yep,

I got hit with this virus, looks like they used sql injection to get into the system. Removed users and had to clean up the user profile.

Thanks for the reply
Dutta