As some of you may have noticed, my blog was hacked last 27 April, and all posts have been removed.
After spending a few hours recovering the lost content I focus myself trying to understand the attack vector.
It didn't take too long until I found how to hack my own blog.
It was a BlogEngine.NET v1.3.0.x security problem related to the js.axd handler(This handler purpose is to serve *.js files) that allows everyone to get any file from your domain, even the critical ones like web.config or App_Data\users.xml. [more]
You can read more on code details in this Danny Douglass post.
I've think a lot before wrote the following lines, but decided that people should know how easily is to hack their sites (hackers already know it :-)).
The practical work of hacking a BlogEngine.Net v1.3.0.x blog is the following:
- Identify a blog running the correct version (anyone like 1.3.0.x) – this is easily done using this Google search.
- Use the js.axd to get the specific BE.Net users.xml file (this file contains the list of users and theirs passwords in plain text ?!!! …. it's not a mistake … plain text) – the syntax is http://hackedblog/js.axd?path=App_Data/users.xml
- Login to the hacked blog with the stolen credentials and then … the hacker usually delete all posts and post one of it's own :-(.
That's it … Now that you know how to do it, I hope you don't use this knowledge to cause malware and instead alert all your friend about this security hole.
A security patch is available since 14 April and it works fine.
By this time I already recovered my posts and secured my blog but still worried about it.
My thoughts were about "why I didn't spent some time to review the BE code?". If I had done that I could have found this security hole(it was really easy to find) or another one that could still be over there.
I have learned a few lesson with this episode:
- keep backups updated
- keep backups safe
- and most of all I really learn that free software is great, open source is even better but I definitely must not thrust blindly the source.
If we all keep these worries in mind and review the code we will feel safer and we will all be contributing to solution improvement.
I would like to see the details of this hack, considering I am an avid .NET programmer I’d like to make some checks against some software I have written.
Could you post it here or email it to me?
Thanks
That’s how free software works: you get exactly what your paid for. 😀
gracias por su valiosa información
I loved your BlogEngine Skin. I really loved it, I wish I could have similar but wide screen one. Can you guide me to the source?!
so this is possible, well as i use blogengine im gonna be aware
thanks a lot for the good info, i hope i can coop up with this matter
The content on this site is unique. A good work done related to tutorials and must be carried on.
Lovely code. One more to my collection.
Great share and nice website thanks
Nice post, It’s a new addition to my I.Q, but i always keep a backup of my blog & keep it save lol, By the way also opened my mind about free softwares. This post served me well, I hope people are going to use this knowledge for educational purpose.
Just wanted to tell you that your site is not showing up properly on the Opera. Anyway, I have subscribed to your RSS feed. 🙂
Hi! I’ve been reading your site for some time now and finally got the courage to go ahead and give you a shout out from Austin Tx!
Just wanted to tell you keep up the excellent job!
Very good write-up. I definitely appreciate this site.
Thanks!
Your style is very unique compared to other people I’ve read
stuff from. Thank you for posting when you have the opportunity,
Guess I’ll just bookmark this site.