BP Blog

Readme/Download - To upgrade just overwrite your default, template, search, and inc_sidebar pages (or the database query code using notepad).

None of the admin pages have been altered. You should notice a speed improvement.

v7.03 [2006-03-15]
* Fixed default.asp layout typo vulnerability
* Optimized SELECT * statements to explicit table names for faster page generation
* Fixed a bug where draft page would show up in sidebar and recent items

OK - download the package and overwrite your search.asp, default.asp and admin_default.asp, although the exploit seems to be related to default.asp (theme preview feature).

You need to update line 18 on default.asp to:

if request("layout") <> "" and len(request("layout"))  < 5 then

I can't believe these people got me through a typo of one character! This update is only required for bp blog 7.0+.  Extreme thanks to Paco at http://www.waparquitectura.com/blog/

I also updated template_permalink.asp with a non-security related fix talked about here: http://www.betaparticle.com/forum/topic.asp?TOPIC_ID=180

I'm not sure what all this hacking is about but I've fixed register.asp and admin_default.asp as best I can.  I've checked for any sql vulnerabilities. 

Please download the latest zip and overwrite your register.asp and admin_default.asp.  Your best bet is to rename your admin_default.asp to something only you know and deleting register.asp if you're not using it.

I'll be working on the code but if anyone can help me, please email me. I don't know who these hackers are or even if they're actually Turkish but it's a shame that they're doing this.  It doesn't have anything to do with "security", it's simply vandalism and very immature.