BlogEngine.NET Security Update

Update 04/14/2008:  I've removed the fix below now that the BlogEngine.NET team has made an official announcement.  Upon further review, 1.2.0.0 users were not effected by this security flaw and there isn't much reason for this patch to exist.  If you have already used this patch, please update your software to version 1.3.1.0 as soon as you get a chance.  (The update will add the js.axd line back into your web.config.)  You should then remove the JSInsert extension from your installation.

I was made aware of a security issue in BlogEngine.NET just over an hour ago.  I wanted to make an immediate fix available for who wanted it.  The team will work up an official hot fix for this soon, but this can hold you over until then.

If you are a BlogEngine.NET user running 1.2 or 1.3, I'd strongly suggest you follow the instructions below.

First, if you are running 1.3.0.0, there are a few people who have already made the fix to the core.dll and have made it available for download.  If you aren't comfortable with that or have 1.2 or a version in between the releases that you don't want to take the time to update immediately, follow on.  Head on over to the BlogEngine.NET project site to get the patch.

BEJSIssueFirst, you remove the js.axd handler from the web.config.  To do this, you need to open your web.config file, scroll to the bottom and find the httpHandler section.  There is a line with the js.axd handler listed.  You can just remove it.

I'm including a copy of the web.config file that was release as part of 1.3 with this line removed below.  If you've never edited this file and are using 1.3, you may just put this new file in place.

Second, since we are removing functionality, we need to add it back in another way.  I made a quick extension that will do just that.  Simply copy the extension file, JSInsert.cs into your your App_Code\Extensions folder.

Following these 2 simple steps should secure your blog from this new vulnerability.

Download the updated web.config

Download the JSInsert Extension