Original Bug report: https://blogengine.codeplex.com/workitem/12551

There is a security issue with BlogEngine.NET which allows any one access to files that are usually blocked off.

 Examples:
http://www.rtur.net/blog/image.axd?picture=/../../web.config
http://www.rtur.net/blog/image.axd?picture=/../users.xml

Once you download the file, open it up in your favorite text editor ;-)

Sorry "rtur" for using you as an example, but luckily you are using XML config, while others like me are using DB connection which when using the above link could expose the connection string.

Quick Fix for non-developers / site owners:
Comment out the following lines in the Web.config (they are listed twice), this will stop images in your blogs until such time as Dev's fix the issue:

 <add name="FileHandler" verb="*" path="file.axd" type="BlogEngine.Core.Web.HttpHandlers.FileHandler, BlogEngine.Core" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />

 <add name="ImageHandler" verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />