Jul2008
16

BlogEngine.NET - BookShelf Widget

by nmgomes

In order to complete my migration from 1.3 to 1.4 version I needed to replace the books control I had with a widget that do the same.

After a fast Google search I found no widget with such functionality.

Armed with lots of confidence I decided to create a new widget, the BookShelf widget, to meet my exact needs:

  • display the book thumbnail image
  • show the book name and book author name

The previous book control has been gently made available by John Dyer, and I simply didn't worry about the layout, I used the old one with minor changes on binding.

books books_edit

This widget is obviously editable since I want to manage the books in the shelf, so I create an edit interface where its very simple to add, edit and remove books.

As a final note, I can simply reaffirm that work with widgets is very simple and straight forward.

Download, try it, and naturally let me now if it meet your needs too.

kick it on DotNetKicks.com

Filed in: BlogEngine.NET

Jul2008
13

BlogEngine.NET - Improved LinkList Widget

by nmgomes

I've been using BlogEngine.Net 1.4.0 since last week. It wasn't easy to migrate and keep the blog stable. To keep things working I made 3 updates (1.4.06, 1.4.0.8 and 1.4.0.12) in one week.

Finally on Friday I decided to update my theme to make use of widgets. This was my I first draw back ... my blog uses two sidebars and the BlogEngine.NET only suport ONE WidgetZone on the page.

I took almost the complete weekend to override this limitation and create an improved version of the widget framework that supports multiple WidgetZones.

I still have some issues to solve, such as the Drag'n'Drop of widgets, but all the rest is completely working and I currently using it on this blog. More on this will came soon.

After solve the WidgetZone issue I found out that the available widgets weren't enough to accomplished my needs, so, I decide to improve the LinkList widget.

I needed to:

  • add support for rendering the class attribute to the anchor Html elements (see the sidebar Meta section)
  • add support for rendering an HyperLink (see the sidebar My Profiles section)

I can only say that it was really simple to create or extend an widget.

I submitted this changes on LinkList widget as a patch on BlogEngine.Net (ID 1504), and perhaps Mads adds them in some future release.

Meanwhile you can get the code here

Filed in: BlogEngine.NET

May2008
4

I've been Hacked - BlogEngine.NET v1.3 Security Hole

by nmgomes

As some of you may have noticed, my blog was hacked last 27 April, and all posts have been removed.

After spending a few hours recovering the lost content I focus myself trying to understand the attack vector.

It didn't take too long until I found how to hack my own blog.

It was a BlogEngine.NET v1.3.0.x security problem related to the js.axd handler(This handler purpose is to serve *.js files) that allows everyone to get any file from your domain, even the critical ones like web.config or App_Data\users.xml. [more]

You can read more on code details in this Danny Douglass post.

I've think a lot before wrote the following lines, but decided that people should know how easily is to hack their sites (hackers already know it :-)).

The practical work of hacking a BlogEngine.Net v1.3.0.x blog is the following:

  1. Identify a blog running the correct version (anyone  like 1.3.0.x) - this is easily done using this Google search.
  2. Use the js.axd to get the specific BE.Net users.xml file (this file contains the list of users and theirs passwords in plain text ?!!! .... it's not a mistake ... plain text) - the syntax is http://hackedblog/js.axd?path=App_Data/users.xml
  3. Login to the hacked blog with the stolen credentials and then ... the hacker usually delete all posts and post one of it's own :-(.

That's it ... Now that you know how to do it, I hope you don't use this knowledge to cause malware and instead alert all your friend about this security hole.

A security patch is available since 14 April and it works fine.

By this time I already recovered my posts and secured my blog but still worried about it.

My thoughts were about "why I didn't spent some time to review the BE code?". If I had done that I could have found this security hole(it was really easy to find) or another one that could still be over there.

I have learned a few lesson with this episode:

  • keep backups updated
  • keep backups safe
  • and most of all I really learn that free software is great, open source is even better but I definitely must not thrust blindly the source.

If we all keep these worries in mind and review the code we will feel safer and we will all be contributing to solution improvement.

Filed in: BlogEngine.NET | Hacking