SECURITY: BlogEngine.NET Security update


In case you are running your site on BlogEngine.NET and missed it, a security patch was released in mid-April. Al Nyveldt notes it here, and the official announcement from the team is here. In order to be safe you need to be running (or later). It is important you upgrade asap. As per the request from the team I won't go into details of what the issue is, however it is easy to find if you are curious (source code available here).

Problems with the patch

I couldn't get the patch update file to download from here, so I ended up downloading the entire release. If you are running a standard site you will only need to update two files (the core DLL and XML files) in your \bin directory and you can take these straight from the download (ie no recompiling required). But, if you've made customisations to core functionality you may need to do some merging and building.

Summary for fixing a standard site

  • (Backup your site)
  • Download and unzip the latest release (just the 'website' download package is enough)
  • Get the BlogEngine.Core.DLL and BlogEngine.Core.XML files and update them into to the \bin directory of your site
  • Test


I would have posted this earlier, but needed to time to upgrade my own site and test it (having made some customisations to the code base). If you find yourself in the same boat, then I at least recommend removing the version number from your site footer (if you display it), otherwise you will end up in search queries that can be used to find at-risk sites. (You can fix this by editing the site.master file in your selected themes folder).

Technorati Tags: BlogEngine.NET,Security

Add comment