Security Update - June 2012 - Revision A

[Note: This is a revised security update]

There is a security update we recommend you make to your BlogEngine.NET blog.  This update is for all versions of BlogEngine.NET, at least going back to version 1.4.5 and probably before that too.  The update is fortunately easy to make.

Update Instructions

There are 2 steps for this update.

Step 1 - The <machineKey> element in your web.config file needs to be updated.  This is what your <machineKey> element likely looks like now:

<machineKey
	validationKey="D9F7287EFDE8DF4CAFF79011D5308643D8F62AE10CDF30DAB640B7399BF6C57B0269D60A23FBCCC736FC2487ED695512BA95044DE4C58DC02C2BA0C4A266454C"
	decryptionKey="BDAAF7E00B69BA47B37EEAC328929A06A6647D4C89FED3A7D5C52B12B23680F4"
	validation="SHA1" decryption="AES"/>

You have 2 options here.  Either (a) simply delete the <machineKey> or (b) you can change it to the following:

<machineKey
	validationKey="AutoGenerate,IsolateApps"
	decryptionKey="AutoGenerate,IsolateApps"
	validation="SHA1" decryption="AES"/>

Step 2 - Only if your BlogEngine.NET version is 2.5 or 2.6 is this step needed.  If you are on BlogEngine.NET version 2.0 or earlier, you can skip this step.

There is an update to the Global.asax file.  The Global.asax file differs between version 2.5 and 2.6.  The updated Global.asax can be downloaded below.  Replace your existing Global.asax file with this one.  This assumes you have not made any customizations to your Global.asax file.

BlogEngine.NET 2.5 Global.asax update: v2.5_Security_Update_June_2012.zip (1.68 kb)
BlogEngine.NET 2.6 Global.asax update: v2.6_Security_Update_June_2012.zip (2.19 kb)

The update is now complete!

Need a Machine Key?

For a BlogEngine.NET blog running as a standalone instance, you typically won't need a machineKey.  If you are running your blog in a web farm, you likely will need one.  If you need a machineKey with a fixed validationKey and decryptionKey, simply go to this machineKey generator tool to generate your own personal machineKey.

Frequent Logouts

Depending on the server your BlogEngine.NET blog is installed on, you may find that when your application pool recycles, you are being logged out of the site.  When this update was being tested, it was found that this would occur in some servers and not others.  If you find this to be a problem in your environment, I would suggest using the machineKey generator tool described above to generate your own personal machineKey, and put that into your web.config file.

Troubleshooting

After applying this update, everything should work fine.  You will need to log back into your blog if you were logged in prior to the update. After applying the update, if you receive an error message when accessing your blog, such as:

Unable to validate data.

This error is because your previous log-in is no longer valid and needs to be cleared out.  If you're receiving an error after making this update, clear the cookies in your browser.  You can refer to this page for clearing your cookies, or if your browser or version is not listed there, refer to the Help for your particular browser/version.

Questions

If you have any questions or run into any problems with this update, the best place to inquire is in the CodePlex BlogEngine.NET discussions.

* $4.95/month BlogEngine.net Hosting - Click Here!
Comments are closed