Security, Development and other ramblings...

BlogEngine.NET Security: Directory Traversal Attack

Original Bug report: https://blogengine.codeplex.com/workitem/12551

There is a security issue with BlogEngine.NET which allows any one access to files that are usually blocked off.


Once you download the file, open it up in your favorite text editor ;-)

Sorry "rtur" for using you as an example, but luckily you are using XML config, while others like me are using DB connection which when using the above link could expose the connection string.

Quick Fix for non-developers / site owners:
Comment out the following lines in the Web.config (they are listed twice), this will stop images in your blogs until such time as Dev's fix the issue:

 <add name="FileHandler" verb="*" path="file.axd" type="BlogEngine.Core.Web.HttpHandlers.FileHandler, BlogEngine.Core" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />

 <add name="ImageHandler" verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />

Why CloudFlare is Awesome!

A quick search on your preferred search engine will reveal a number of reviews about CloudFlare.

As with any other company, you are bound to find mixed feelings towards CloudFlare, some of them negative and some of them positive, for me it has been all positive as I have never ran in to any problems what so ever while using their awesome service.

CloudFlare currently offers four plans, which depending on your requirements you may choose to use, though from my own experience of using the Free Plan, I have never needed to upgrade due to CloudFlare being very generous with their offerings for all the sites I manage.

CloudFlare currently allows the Free Plan accounts to utilize the following awesomeness:

  • CDN
    • A Content Delivery Network (CDN) is used to cache static content through a vast number of servers distributed over the world, it is used to speed up the load time of your site by using the closest server to the visitor of your site.
  • Always-On™
    • When your site goes down (via 502/4 HTTP Status) your site will still be viewable via a cached version.
  • Universal SSL
    • Free SSL certificate for your site to keep your visitors safe from Man-in-the-Middle attacks from CloudFlare servers to your visitors.
  • DNS Management
    • Easy to use DNS control panel, which you use right from when you setup your account.
  • DOS, Traffic Surge and Web Security Protection
    • Automatically detects and blocks online threats like automated comment spamming, SQL Injection, denial of service attacks and numerous others. 
  • Bandwidth Saving
    • With the both CDN and caching functionality, your hosting bandwidth will be lower, which means you save some cash in the long run.
  • Easy Configurability
    • The entire system is really easy to use, even a non-technical user could easily use it to switch their existing setup over to CloudFlare in under 5 minutes.

So go ahead and give CloudFlare a go for Free. https://www.cloudflare.com/plans

First Post - Welcome!

Welcome to the LookugA blog!

LookugA (pronounced: Loo-Ku-Ga) is a side alias I have been using for a while. I used this alias to work upon a number of security and development projects.

This blog will be used to publish my articles on open source related items, hardware and software development and of course security.

I am going to publish a new article at least once every two weeks, it could either be a written/video tutorial, a new security discover or just a general topic I would be interested in at that point in time.

Subscribe to any of the LookugA social media channels to stay updated.