Posts Tagged ‘security’

MVC Controller Action Security Hole

// July 8th, 2008 // 7 Comments » // MVC

The latest of Stephen Walther’s invaluable ASP.Net MVC Tip series points out a MVC scenario that was previously unknown to me: passing cookies and server variables into controllers as action parameters. While the idea is neat, a comment left by Francois Ward echoed my immediate skepticism over whether this could be safe. After playing around I believe I have confirmed my suspicions that making use of this capability is a Very Bad Idea. (more…)

Kick It on DotNetKicks.comShout It on DotNetShoutOuts.com

Massive BlogEngine.net Security Hole

// April 13th, 2008 // No Comments » // Blogging

A massive security hole in BlogEngine.net was just revealed that allows anyone to see your passwords… Danny Douglass just added a post to his blog where he explains the issue and provides a patched BlogEngine.Core assembly to resolve the issue until the next release of BlogEngine is available.

I would advise anyone running BlogEngine.net to immediately go to Danny's blog and download & install the fix.

The faster we can get word out about this, the faster we can shut down this particular attack vector, so please try and get the word out to any BlogEngine.net users you are aware of and please kick Danny's post at DotNetKicks.

Thanks Danny!

Kick It on DotNetKicks.comShout It on DotNetShoutOuts.com