Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?
Previous
 
Next
New Post
5/23/2008 10:14 AM
 

I would still like to know how serious this exploit is.  As someone with a lot of portals, the cost of upgrading them could be signifigant.

 
New Post
5/23/2008 10:43 AM
 

 

WOW! I can see how vicious some people can get.

I think that people who think PowerDNN had some malicious intent ought to take a step back.

Joe

 
New Post
5/23/2008 11:11 AM
 

Shaun Walker wrote

8. Wednesday night - we have verified that there is indeed an issue. However, our first revelation was that it does not allow an anonymous user to execute arbitrary SQL scripts or make arbitrary changes to the web.config, as was claimed in the PowerDNN security advisory. This lowers the risk assessment considerably. We have already come up with a code change which should solve the issue permanently and will include it in a 4.8.3 core release. Please be patient as we work through our standard security process for the benefit of the community.

In summary, it appears that a combination of inexperience, greed, and impatience resulted in the perfect recipe for disaster today. I hope tomorrow will be a better day.

I'd like to see a little bit more confidence in the resolution than just "should fix the problem". Out of everything posted to date on the subject, that one line is the single most disturbing to me.

I recently had work done to the brakes on my truck, I think I would have a problem if the mechanic told me that there was a flaw in the brake system by the original manufacturer and then said that this "should fix the problem". Yeah, thats a lot of confidence, thanks buddy.

On a side note, I can never say enough good things about PowerDNN. While I can certainly agree that things may and should have been handled differently in this case, I find it highly offensive that anyone could sit here and label them as being opportunistic or greedy.

The finger pointing and insinuations though show a complete lack of professionalism in an otherwise stellar community.

 

 

Edward DeGagne | Applications Engineering Manager
ektron, inc.
542 Amherst Street, Route 101A | Nashua, NH 03063

 
New Post
5/23/2008 11:26 AM
 

I'd like John Grange to explain what the press release PowerDNN published up on PRWeb ( http://www.emediawire.com/releases/DotNetNuke/Security/prweb964344.htm ) has to do with these statements he has made concerning this security issue:

"This issue effects so many sites that we want to protect community by releasing the information in a thoughtful way."

"This has been very far from a "fear-based marketing attack", no e-mails were sent to anyone except our own customers, that's not marketing that's communication."

"I do not believe this is very far off form what other companies would do except our issue just happened to become very public."

 
New Post
5/23/2008 12:08 PM
 

Ed, my apologies for the slip-up in wording. At the time I wrote the post we were still doing an investigation into the problem to fully understand all of the vectors and severity level. But there should be no doubt about one thing - we have fully and completely patched every security problem which has ever been reported to us in the DNN framework. This process can be very challenging and often takes time to ensure every use case is properly mitigated. But at the end of the day, we fully understand that the community trusts and relies on us to ensure their DNN installations are secure. Therefore, it would be irresponsible for us to release a patch which simply masks the problem, puts a band-aid on it, or even makes it worse. We deal in absolutes; therefore, a 100% solution is the only option. At this point, we already have a complete solution to the recent items reported by PowerDNN and we are running it through a variety of test cases to ensure full coverage.


My comments are my own and are offered WITHOUT PREJUDICE

Shaun Walker
http://www.siliqon.com
 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out