Cenzic 232 Patent
Paid Advertising
web application security lab

BlogEngine.NET Intranet Hacking

I ran across a really good example of some of the Intranet hacking through web-pages that I was talking about a while back. Doing some poking around in BlogEngine.Net I found a great example of this where a file not only allows you to read files from the disk (including things like the web.config the sql.config and other sensitive files with the syntax /js.axd?path=/web.config etc… but also the syntax /js.axd?path=http://localhost/ would disclose local websites. Ouch.

To make matters worse, if I know someone is running this software internally and I don’t have direct access to it, I can use it to proxy my requests all through their intranet on my behalf because there is a cross site scripting attack in BlogEngine.NET with the syntax: search.aspx?q=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E.

So I would simply need to get a user that I knew belonged to a company running this software to click on an link. It would then force their browser back to the Intranet website running BlogEngine.NET, where the XSS would use XMLHTTPRequest to pull in the js.axd file’s results, which de-facto would allow me to read every site on their Intranet that wasn’t password protected, as well as enumerate RFC1918 looking for private IP space. Ouch again.

A few people asked me when I first talked about this if I had ever seen it in the wild, so it took me a while to find something that was this widespread (probably 100,000 public installs) this is probably the best working example I have seen. Google dork: BlogEngine.NET 1.3.0.0.

15 Responses to “BlogEngine.NET Intranet Hacking”

  1. Jesper Says:

    Ouch indeed! I had a look at a few blogs running BlogEngine.net and I could get the passwords for a few SQL Servers. I hope everybody can patch up quickly.

    This reminds me that I will encrypt all the passwords in the web.config of my applications (even though i’m not running BlogEngine.net)

  2. Jac Says:

    You rocks man! :D This is cool!

  3. Awesome AnDrEw Says:

    Beautiful find.

  4. Erlend Says:

    Ouch! Not very nice. It’s a bit embarrasing that developers keep leaving these gaping holes in their apps.

  5. Schmoilito Says:

    What about this:
    /js.axd?path=http://vuln-site1/js.axd%3Fpath%3Dhttp://vuln-site2/js.axd%3Fpath%3Fhttp://vuln-siteXX/js.axd and so on…

    I wonder what the damage potential could be if you got these vulnerable sites proxying requests to each other on a large scale. I’m not sure that it is entirely wormable, but the thought is intriguing.

  6. benben Says:

    1.修改 BlogEngine.Core\Web\HttpHandlers\JavaScriptHandler.cs文件
    在private static string RetrieveRemoteScript(string file) 和private static string RetrieveLocalScript(string file)里分别加上以下代码

    if (!file.EndsWith(”.js”, StringComparison.OrdinalIgnoreCase))
    {
    throw new System.Security.SecurityException(”No access”);
    }
    然后 Rebuilt

  7. benben Says:

    How to fix this bug,you can go
    http://blog.119797.com/post/BlogEngine-fix-js-Download-bug.aspx

  8. Julian Calaby Says:

    That doesn’t fix the problem:

    /js.axd?path=http://localhost/%3Frandom%3D.js

  9. Danny Douglass Says:

    For anyone following this comment thread, please take the time to vote for the “Password Encryption in XML file” work item on BlogEngine.NET’s Codeplex project page - http://www.codeplex.com/WorkItem/View.aspx?ProjectName=blogengine&WorkItemId=5726&PendingVoteId=5726.

  10. fred Says:

    /js.axd?path=http%253a%252f%252f//..//../cmd.exe
    /js.axd?path=http%253a%252f%252f//..//../../Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

  11. ModPack Security Hotfix Says:

    Since ModPack built on the BlogEngine.Core v1.3.0.5, I’m afraid every blogger who uses ModPack for e.g. GoDaddy or 1and1 Hosting need to patch their blog installation too.

    Get your Security Hotfix for ModPack 1.3.0.5 from http://ict20.net/ModPack/ or click on the name link which points to the full blog post.

    Cheers,
    MikevZ

  12. RSnake Says:

    Blogengine.NET also issued a patch on their website as well a few days after this post.

    http://www.dotnetblogengine.net/post/Critical-Security-Patch-Available.aspx

  13. Jitendra Singh Says:

    by putting http://yourblogname.com/js.axd?path=App_Data/users.xml any one can access your login information {username and password both}.
    It happens in BlogEngine.NET 1.3.

    solution:

    update function in ur code RetrieveLocalScript() by the following code-

    private static string RetrieveLocalScript(string file)
    {
    if (!file.EndsWith(”.js”, StringComparison.OrdinalIgnoreCase))
    {
    throw new System.Security.SecurityException(”No access”);
    }

    string path = HttpContext.Current.Server.MapPath(file);
    string script = null;

    if (File.Exists(path))
    {
    using (StreamReader reader = new StreamReader(path))
    {
    script = reader.ReadToEnd();
    script = StripWhitespace(script, HardMinify(file));
    HttpContext.Current.Cache.Insert(file, script, new CacheDependency(path));
    }
    }

    return script;
    }

    thanks,

    http://www.newGenLives.com
    http://www.newGenLives.info

  14. Kunal Mehta Says:

    HI,

    I use BlogEngine.NET on my website: http://elevatesoftsolutions.in/default.aspx - been using it for a few months now.

    I think this security bug is fixed now with BlogEngine.Net 1.4.5.0

    Is it right?

  15. d3nx Says:

    Proxy and internal network access problem still exits on 1.4.5 and 1.5, i have just checked both versions