Update 3.1.1.0 With Security Patch

If you running BlogEngine 3.0 and up, please update to version 3.1.1. This will install security patch against directory traversal vulnerability along with few improvements and bug fixes.

Backup

Please always backup your site before installing any updates. Worst case, you can restore to current version.

Auto Update

For v.3+ users, you should see "update available" message in the dashboard. It is better run and test update on local (DEV) instance and then FTP files to the host, specially for critical sites. Moving thousands files on busy site may end up in a lock. But if you must run live update and getting "file locked", it is ok to click "update" button again, this might fix an issue.

Manual Update

Remember you can always download files and update manually, it is not hard. Basically you wipe out all except "/Custom" and "/App_Data" plus any custom files/folder you might have, then move new version in. Merging web.config is the only slightly tricky part - you might need take care of connection string and providers if you use database.

Older Versions

If you run older version, you can try to use this simple extension which will do the job just fine. It may need an adjustment for very old version though. Save code below as "BlockTraversal.cs" and drop it to your site "/App_Code/Extensions" folder.

using BlogEngine.Core;
using BlogEngine.Core.Web.Controls;
using BlogEngine.Core.Web.HttpHandlers;
using System.Web;

[Extension("Block Directory Traversal", "1.0", "BlogEngine.NET")]
public class BlockTraversal
{
  public BlockTraversal()
  {
    ImageHandler.Serving += Serving;
    FileHandler.Serving += Serving;
  }

  void Serving(object sender, System.EventArgs e)
  {
    if (sender.ToString().Contains(".."))
    {
      HttpContext.Current.Response.Redirect(
        string.Format("{0}error404.aspx", Utils.AbsoluteWebRoot));
    }
  }
}

Comments (1) -

  • ali

    12/2/2014 6:09:04 PM |

    Im just started using blogengine and find out i love it
    thank you for your work guys

Comments are closed