- Posted by Ian Suttle on April 14, 2008
- Filed under BlogEngine.Net
This is serious business if you're running BlogEngine.net.
The exploit allows a user to use the javascript axd to access the user.xml file and display its contents in the browser. If you're eyeballs are jittery right now you've got the right reaction unless you're just highly caffienated and don't mind username and passwords in plain text.
Danny Douglass has a quick fix by replacing the current BlogEngine.Core.dll with his updated version. I'm running the update on this site as a proof of concept of it working.