I’ve been Hacked – BlogEngine.NET v1.3 Security Hole
As some of you may have noticed, my blog was hacked last 27 April, and all posts have been removed.
After spending a few hours recovering the lost content I focus myself trying to understand the attack vector.
It didn’t take too long until I found how to hack my own blog.
It was a BlogEngine.NET v1.3.0.x security problem related to the js.axd handler(This handler purpose is to serve *.js files) that allows everyone to get any file from your domain, even the critical ones like web.config or App_Datausers.xml. [more]
You can read more on code details in this Danny Douglass post.
I’ve think a lot before wrote the following lines, but decided that people should know how easily is to hack their sites (hackers already know it :-)).
The practical work of hacking a BlogEngine.Net v1.3.0.x blog is the following:
- Identify a blog running the correct version (anyone like 1.3.0.x) – this is easily done using this Google search.
- Use the js.axd to get the specific BE.Net users.xml file (this file contains the list of users and theirs passwords in plain text ?!!! …. it’s not a mistake … plain text) – the syntax is http://hackedblog/js.axd?path=App_Data/users.xml
- Login to the hacked blog with the stolen credentials and then … the hacker usually delete all posts and post one of it’s own :-(.
That’s it … Now that you know how to do it, I hope you don’t use this knowledge to cause malware and instead alert all your friend about this security hole.
A security patch is available since 14 April and it works fine.
By this time I already recovered my posts and secured my blog but still worried about it.
My thoughts were about “why I didn’t spent some time to review the BE code?”. If I had done that I could have found this security hole(it was really easy to find) or another one that could still be over there.
I have learned a few lesson with this episode:
- keep backups updated
- keep backups safe
- and most of all I really learn that free software is great, open source is even better but I definitely must not thrust blindly the source.
If we all keep these worries in mind and review the code we will feel safer and we will all be contributing to solution improvement.