Over the weekend, we were alerted to a security flaw in BlogEngine.NET 220.127.116.11. We have created a new release 18.104.22.168 which corrects this issue and are making a patch available here for users running 22.214.171.124. For those people running development version of BlogEngine.NET (from the source tab on CodePlex), please note that the latest release 126.96.36.199 has the security fix as well.
The security flaw makes it possible to access BlogEngine.NET user passwords (and other data that you normally would see with a password). The flaw has been in the system since version 188.8.131.52 and we strongly encourage all BlogEngine.NET users to update to 1.3.1 as soon as possible. If you see a fellow blogger running something prior to 184.108.40.206 or 220.127.116.11, please let them know to update their site as soon as possible. In addition, we encourage you to update your BlogEngine.NET password(s) as a security measure after you update.
The BlogEngine.NET team takes security very seriously and we regret that this security issue was introduced into the system. We hope that no one was seriously effected by the issue and have not heard reports of any to date. Please update your software as soon as you can. We are truly sorry for the inconvenience.
It is unfortunate that the issue could not have been handled more discretely. If you are blogger writing about the issue, we'd hope that you could refrain for spelling out exactly how to attack sites that haven't been updated yet. (Yes, we do want people to know there is a problem that needs patched, but we'd prefer if were weren't tempting casual hackers to try out the hack on a unpatched site by giving them a step by step guide.)
Again, we are sorry for the inconvenience and any trouble this may have caused you. If you know of other BlogEngine.NET users, please pass this information along.
Download Full Release: BlogEngine.NET 18.104.22.168
Download Patch for BlogEngine.NET 22.214.171.124