Security expert Dominick Baier made me aware of a security vulnerability in dasBlog at the beginning of last week. Dominick will post a concrete advisory later this week for reasons of completeness, but we want to give everyone a chance to patch their systems, because exploits are embarrassingly simple to write.
The problem affects all versions of dasBlog and allows a specially crafted cross-site scripting attack that would potentially and under certain circumstances allow an attacker to gain temporary access to the blog user’s credentials. The problem does not allow an attacker to gain any further control over the server or compromise system-level security.
The suggested workaround is to install the patch that can be found here (direct link). The patch archive contains four subdirectories (named 1.3, 1.4, 1.5, and 1.6) with replacement binaries for the newtelligence.DasBlog.Runtime.dll assembly for the respective version.
1. Back up your existing assembly from your blog’s /bin subdirectory,
2. Replace it with the new assembly for your version from the respective directory of the patch archive
3. Open and save “web.config” with notepad to restart the site
4. You are again safe.
The changes are minimal and should not have any adverse effects, but if you experience any odd behavior after applying the patch, please let me know.
Spread the word!
[The GotDotNet workspace source trees for 1.3-1.6 contain the modified sources for the respective versions. The “CurrentWork” tree is not yet patched.]