DotNetKick.com is an open-source project. Please report any bugs and let us know your great suggestions. Currently running svn revision 620 (rss)

Kick Spy!, Kick Zeitgeist and Kick Widgets

24
kicks
Official BlogEngine.NET Security Patch
published 3 months, 4 days ago, submitted by rimsystems rimsystems 3 months, 4 days ago

dotnetblogengine.net — Over the weekend, we were alerted to a security flaw in BlogEngine.NET 1.3.0.0. We have created a new release 1.3.1.0 which corrects this issue and are making a patch available here for users running 1.3.0.0. For those people running development version of BlogEngine.NET (from the source tab on CodePlex), please note that the latest release 1.3.0.29 has the security fix as well.

Add a comment 4 comments | category: | Views: 2 | Get KickIt image code
tags: | tag it

new Add a live kick counter to your blog >> liveImage

You can even customize the image by choosing your own colors, and then clicking the button below to update the preview and the html code:

  • "Kick It" text
  • "Kick It" background
  • kick count text
  • kick count background
  • border

Simply copy and paste this HTML into your blog post.


Users who kicked this story:
rimsystems rimsystems - Jemm Jemm - dengar007 dengar007 - diamondz diamondz - yesthatmcgurk yesthatmcgurk - ailon ailon - JOELROXOR JOELROXOR - TroyMG TroyMG - jdschwar - kayos kayos - justin_etheredge justin_etheredge - gavinjoyce gavinjoyce - offwhite offwhite - madskristensen madskristensen - bradygaster bradygaster - mdopp mdopp - joseguia joseguia - Robr - hbaxamoosa - DannyDouglass DannyDouglass - mrprk - adminjew adminjew - HoolieMan HoolieMan - talisharon10

Comments:
Supposedly there is resistance to hashing passwords in the BlogEngine.NET team.

Wat?
posted by yesthatmcgurk yesthatmcgurk 3 months, 4 days ago
Hrm, that's kind of different, do you know what the reason is?
posted by dengar007 dengar007 3 months, 4 days ago
Dunno.

"Does storing your password in the users.xml file without encryption bother you? It definitely bothers me so I sent an email to Mads asking him about this topic. He mentioned to me that some people didn't like storing the password in an encrypted format. Seems strange to me but okay. "

Seems strange to me by NOKAY. I'm going to take a peek at the code and see how hard it is to hash the passwords this weekend (if I can get time aside from retiling my bathroom, working on my split-file join app, and working on my GF's survey website).

http://www.codeplex.com/blogengine/Thread/View.aspx?ThreadId=19293
posted by yesthatmcgurk yesthatmcgurk 3 months, 4 days ago
Aye, weird stuff indeed.

There is a work item in the Issue Tracker now requesting that they reevaluate this:
http://www.codeplex.com/blogengine/WorkItem/View.aspx?WorkItemId=5726

Here is an older work item which was rejected where Mads states, "This has been suggested a few times before and the answer is the same. People don't want it. A few do, but we've had many e-mails when we did hash passwords for the first release."
http://www.codeplex.com/blogengine/WorkItem/View.aspx?WorkItemId=3536

Hopefully this latest debacle will illustrate that even if "people don't want it", it should at the very least be an option to prevent this kind of disaster. I'm all for will of the people and all, but seriously, lets sit down and talk to whoever doesn't want their passwords hashed and explain some things to them. =)
posted by TroyMG TroyMG 3 months, 4 days ago



information Login or create an account to comment on this story
 

Sponsored Link: www.carlist.ie

Search:

Ads via The Lounge

You are the editor:
View upcoming stories
Submit a story
How else can I help?
Earn money
Tags: all tags - your tags