ID

Uploaded

Status

Description

Work Items

Action

1118
by MikevZ
Apr 17, 2008
10:42 AM

Applied

Rolled up fix for security hole in js.axd and
/blog/ also working (see work item 1828)


Applied Apr 17, 2008: Tested on 3 ModPack installations and verified the js.axd only allows .JS files and denies any other. /blog/ virtual rewrite folder works now.

1828

Download

1112
by MikevZ
Apr 16, 2008
8:21 AM

Applied

Hotfix for the nasty Security Hole reported this week.

Applied the "allow .js only" code as described by Danny Douglass at:
http://dannydouglass.com/post/2008/04/BlogEngine-and-the-JavaScript-HttpHandler-Serious-Security-Issue.aspx

if( !file.EndsWith( ".js", StringComparison.OrdinalIgnoreCase ) )
{
throw new System.Security.SecurityException( "No access" );
}


Applied Apr 16, 2008: Replace this .DLL with your current version in the /Bin/ folder to prevent js.axd showing files other than .js

1805

Download

View All
  • 1-2 of 2 Patches
    • Previous
    • 1
    • Next
    • Showing
    • All
    • Patches