Lessons in BlogEngine.Net Security

image Last week one of my blogs running BlogEngine.Net got hacked.  Never nice.  So, I thought I'd write up what happened, and what I've done about it - and some things you can do if you are running BlogEngine.Net.

Firstly - I love BlogEngine.Net - I love having no database and being able to move the entire site from one host to another with a simple file copy.  Very cool.  I also like that it is built using ASP.Net web forms - very familiar.  Because I love it, I didn't want to change to another engine, I'd rather fix whatever issues I found.

Anyway, the site was defaced, and a bogus blog post was put up.  This indicated that the hacker had somehow logged in using my password.  Looking through the IIS logs shows that indeed - the hacker found the site by doing a search for "Powered By BlogEngine.Net", found my site and proceeded to hack away.  How did they get my password?  Why did they target BlogEngine.Net sites?

Well, last month the BlogEngine.Net team found and patched a security flaw that allowed an attacker to get at protected files.  I had applied the patch, but to me, it looks like this same method was used to get my password and login.   So I suspect my attacker knew about this vulnerability - which is why they searched for BlogEngine.Net.

If you are using or considering using BlogEngine.Net, what can you do to protect yourself?  Here are my recommendations:

1) Replace the default membership provider.

The default XML membership provider that comes with BlogEngine.Net stores passwords in a plain text XML file in the app_data folder.  Not smart.  So consider replacing the default membership provider with one that uses encrypted passwords.  Chris has even documented the (easy) steps for you.

2) Add an SSL certificate to your site.

Adding SSL requires that you purchase a certificate (mine cost US$40 pa) which (when installed and used) ensures that your login details are not sent in plain text (note that live writer doesn't encrypt your credentials when it transmits to http based sites).

I also recommend adding requireSSL="true" to the forms authentication config in the web.config file as follows:

<authentication mode="Forms">
      <forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies" requireSSL="true" />
</authentication>

This means that authentication tokens (stored in a cookie or sent from a login form) will fail if this is set.  If you've been hacked over http and you don't know if the hacker saved the credentials in a cookie (by ticking "remember me"), this will not validate the cookie over http when they next visit.

3) Remove the "Powered By BlogEngine.Net" text at the bottom of the master page.

My site was hacked because a vulnerability in the software package.  If I hadn't had the name of the package in the page content, I would have not been found in the google search that the attacker used and may not have been hacked.  Why do hackers the favour of telling them what engine you are running?

4) Know that you site is improved and more secure - but not perfect

You can never say your site is hacker proof.  You don't know what you don't know.  However, removing clear text passwords is a no brainer, SSL is wise anyway and the less you can do to help the hacker the better.

If you have other suggestions for things I can do, I'm keen to hear about them!

Posted by darryl on May 5/19/2008, 2008  •  Comments  •   • 

Comments

5/19/2008 7:54:26 PM

James Hippolite

Thanks Darryl, that would be quite useful, if my customer's blogs were ever to move external.

James Hippolite New Zealand

5/19/2008 10:36:49 PM

Brandon Turner [MSFT]

If you want Windows Live Writer to use HTTPS you need to change:
http://burling.co.nz/rsd.axd

To point to a url that is HTTPS.  It is currently pointing to:
http://burling.co.nz/metaweblog.axd

Windows Live Writer uses the rsd file to find the API endpoints for your blog.  You might have to go into the options and do an 'Update Configuration' are you make the change.  If you have any problems feel free to email and I can help.

-Brandon

Brandon Turner [MSFT] United States

5/19/2008 11:59:14 PM

darryl

Thanks Brandon, thats a great tip.

darryl New Zealand

5/20/2008 7:49:06 PM

Scott Whitman

Darryl - I'm considering setting up a blog and am looking at Blogengine.net.

Question - should I be concerned about security? Is this the first security breach ever? First in a while?

Scott Whitman New Zealand

5/20/2008 9:10:09 PM

Darryl

In the history of blogging or the history of blogenine.net or the history of me?  First for me and I'm sure not the first for BE.

You could simply go with a hosted blog.  When you are back in town we can discuss over coffee Smile  

Darryl New Zealand

5/21/2008 10:47:24 AM

Scott Marlowe

Might want to follow #3 on this blog. Wink

"Blog engine version 1.3.1.0" (right at the bottom)

Thanks for the tips.

Scott Marlowe United States

5/21/2008 1:46:40 PM

darryl

Actually I have.  The default text says "Powered by BlogEngine.Net" and this is the search term that was used to find my site.
I may yet remove it altogether.  
Google still thinks I have the "powered by" bit at the bottom though...

darryl New Zealand

5/22/2008 3:38:32 PM

Chris

A couple of points...

Using HTTPS with Windows Live Writer needs a little bit of work but I am hopeful that Mads will incorporate my changes - www.dscoduc.com/post/2008/03/Secure-Blogging.aspx

I would recommend using SanibelLogic's SSLRedirect to handle the SSL management of your blog instead of setting requireSSL=True.  I have been using SSLRedirect for several years and couldn't go on without it! - www.dscoduc.com/.../...login-to-BlogEngineNet.aspx

Cheers!

Chris United States

5/22/2008 4:41:04 PM

Darryl

Yup, I see that.  Hopefully Mads will put that into 1.4.... I'm not holding my breath tho...

Darryl New Zealand

Comments are closed