As some of you may have noticed, my blog was hacked last 27 April, and all posts have been removed.

After spending a few hours recovering the lost content I focus myself trying to understand the attack vector.

It didn't take too long until I found how to hack my own blog.

It was a BlogEngine.NET v1.3.0.x security problem related to the js.axd handler(This handler purpose is to serve *.js files) that allows everyone to get any file from your domain, even the critical ones like web.config or App_Data\users.xml. More...