1

Closed

Security hole in js.axd

description

this site http://dannydouglass.com/post/2008/04/BlogEngine-and-the-JavaScript-HttpHandler-Serious-Security-Issue.aspx has an updated 1.3 core dll that fixes a security issue that was found.
 
Obviously since there were some minor code changes with this ModPack, which I am using that DLL if I used it would lose the changes from the ModPAck DLL.
 
can the changes be incorporated into this project?
Closed Apr 25, 2008 at 1:37 PM by MikevZ
Fixed in 1.3.0 Service Release 1

comments

MikevZ wrote Apr 16, 2008 at 8:27 AM

Hotfix applied today - please download patch and replace current .DLL with patched version

wrote Apr 16, 2008 at 8:27 AM

DizPodDir wrote Apr 16, 2008 at 5:12 PM

I downloaded the updated DLL and when I replace it on my site the users.xml is not sent, BUT www.mikescott.net/blog/ stops working and get an error. If I switch back to old DLL starts working again

MikevZ wrote Apr 16, 2008 at 6:47 PM

Hi Mike, got it and figured the reason (I used a 1.3.0.5 base for 1and1 Hosting to apply the security hotfix).

Gonna post an updated version (created a separate issue for this)

Sorry for the inconvenience, Mike!

wrote Apr 17, 2008 at 10:49 AM

wrote Apr 17, 2008 at 10:51 AM

MikevZ wrote Apr 17, 2008 at 5:20 PM

DizPodDir, the new patch should work for /blog/ too now. Could you please confirm before I close this issue? Thanks!

wrote Apr 17, 2008 at 10:33 PM

MikevZ wrote Apr 25, 2008 at 1:36 PM

Updated patch fixes the JS.AXD security hole and works in the virtual rewritten /blog/ subfolder too

** Closed by MikevZ 4/17/2008 3:33 PM

MikevZ wrote Apr 25, 2008 at 1:36 PM

to update title

wrote Apr 25, 2008 at 1:37 PM

wrote Apr 25, 2008 at 1:37 PM

wrote Apr 25, 2008 at 1:37 PM

wrote Feb 2, 2013 at 4:52 AM

wrote May 13, 2013 at 6:14 PM