Hi cliersch

The patch fixes the issue for the version in trunk. In trunk, there's a helper method called IsOwner that checks for permissions, while in the official release, Permission::check('ADMIN') was used.
They do more or less the same thing.

If you got the IsOwner method in your BlogHolder Class, then you should be safe to apply the patch I provided. If you want to check the vulnerability, go ahead... use this file I attached (it's a simple html form. You should replace http://SomeSilverStripeBlogSite.com in the source code with your website http://nestbau.info/). Using this form, you can send blog posts to your site without logging in.
If you apply the patch, this is no longer possible.

Oh dear. Out of curiosity I checked if this works with silverstripe.com and indeed it did...
http://www.silverstripe.com/blog/

Crap!
Some admin fix this please... and remove my "proof of concept" html file, as it would probably do more harm than good.

Yeah.. I tried to get in touch with them. But most likely they're all sleeping :/

Hi everyone,

Thanks for everyone's help in getting to the bottom of this issue. We have committed a fix for this to the SVN trunk of blog. If you are using trunk, the best thing to do now is to update to the latest revision of trunk - r81263.

For those of you on version 0.2.0 of blog, we will be releasing an 0.2.1 release in the next few hours. The 0.2.1 release will be the same as 0.2.0 except for this fix.

Thanks,
Sam