Security expert Dominick Baier made me aware
of a security vulnerability in dasBlog at the beginning of last week. Dominick
will post a concrete advisory later this week for reasons of completeness, but
we want to give everyone a chance to patch their systems, because exploits are embarrassingly
simple to write.
The problem affects all versions of dasBlog and allows a specially crafted cross-site
scripting attack that would potentially and under certain circumstances allow an
attacker to gain temporary access to the blog user’s credentials. The problem does not allow an attacker to gain
any further control over the server or compromise system-level security.
The suggested workaround is to install the patch that can
be found here (direct
link). The patch archive contains four subdirectories (named 1.3, 1.4, 1.5,
and 1.6) with replacement binaries for the newtelligence.DasBlog.Runtime.dll assembly
for the respective version.
1.
Back up your existing assembly from your blog’s /bin subdirectory,
2.
Replace it with the new assembly for your version from the respective
directory of the patch archive
3.
Open and save “web.config” with notepad to restart the site
4.
You are again safe.
The changes are minimal and should not have any adverse effects, but if you
experience any odd behavior after applying the patch, please let me know.
Spread the word!
[The GotDotNet workspace
source trees for 1.3-1.6 contain the modified sources for the respective
versions. The “CurrentWork” tree is not yet patched.]