Version 1.3 of BlogEngine.NET has a security flaw that allows an attacker to view the source code of any file in your blog directory. Update: Make that any file on your website, not just in the blog.

This includes your web.config file, sql.config file and the scariest of all, the users.xml file.

This is the file that, if you're using the default data provider (XML) holds all the user login details for your blog. That's right, admin usernames and passwords, in clear text.

This vulnerability is already in the wild and a quick search on Google reveals about 185, 000 results. That's a lot of vulnerable blogs.

 There's already a patch for this flaw, but it seems that the download link might be broken. In the meantime, as a temporary fix, you could probably rename the users.xml/sql.config file to something different i.e. hard to guess. But if you want to keep your blog online, your web.config is still going to be visible, so make sure there's nothing sensitive in there.