I found a hole in BlogEngine.NET that allows anyone to delete and approve comments.
<div id="id_9c2b8578-1dde-421e-94ff-5ea7e0d82012" class="comment">
<p class="date">7/10/2008 4:13:35 PM</p>
<p class="gravatar"><img src="http://www.gravatar.com/avatar/b642b4217b34b1e8d3bd915fc65c4452.jpg?s=80&d=..." alt="Test3" /></p>
<p class="content">asfasdfafdasd sa afsdfdsaas </p>
<img src="/blogengine/pics/flags/us.png" class="flag" alt="us" />
You can patch the hole by updating the Page_Load event in the CommentView.ascx.cs file by checking for an authenticated user (lines 117,118, & 127)
protected void Page_Load(object sender, EventArgs e)
if (Post == null)
if (!Page.IsPostBack && !Page.IsCallback)
if (Request.QueryString["deletecomment"] != null)
string path = Utils.RelativeWebRoot + "themes/" + BlogSettings.Instance.Theme + "/CommentView.ascx";
Repeat the steps given above to verify that the hole has been patched.
In the process of adding OpenID support to the comment system in BlogEngine.NET I found myself deep in a rabbit hole of refactoring. This comment security issue is just one of the things I've found during my journey. I've reported the issue on the BlogEngine.NET Issue Tracker. I think it is important to point out that the patch above is just a quick fix. The proper solution is to put authorization checks in the business layer (the BlogEngine.Core.Post business object in this case).