My org is purchasing an ecommerce cart system that will only run on DNN 4.4. As far as i (as our webmaster) can tell it's a custom DNN module, it will not host user generated content, blogs or anything else, it will be a separate site on the same server as our main website.

The vendor of our online ticket system is insisting that they will not upgrade beyond DNN 4.4 as there have not been enough changes. But when i look at the bug tracker i see many very important security updates. I have tested a simple exploit and DNN 4.4 is indeed vulnerable to http://www.securityfocus.com/archive/1/492793 which would allow an attacker to manipulate a page and redirect the user in a phishing attack.

My advice to the org is not to put the system in to production until the vendor can assure us that we will be supported on recent and future versions of DNN 4.x.

I don't have much experience with DNN, but would never put such an out dated Drupal system in to production especially where personal data and e-commerce is involved.

Is it reasonable to expect a vendor to maintain compatibility with 4.x and is it possible to secure DNN 4.4 against all know exploits?

In DNN time... 4.4 is mighty old (2 years)... subject to more than half of the security advisories listed.  I would personally find it difficult to believe that an application which has not been updated for it's target platform in 2 years would be better supported in the future?  Unless, perhaps, they have chosen to wait to upgrade to version 5.1 (which is slated to go into beta next month)... but that would be a stretch.

If DNN integration is required, there are several good, well supported options out there.  If it's NOT required... there are obviously a lot more.  But as you have articulated the situation, it does not sound like the best choice.

Cheers

Scott Willhite, Co-Founder DNN

Hi fungi,

You've got some big names in DNN answering this post, and from a less known developer in DNN I would have to say if the responsibility for the system stands with you, be very careful.  I myself have developed NB_Store (e-commerce) and one of my golden rules is to try and make sure it  can upgrade to the next release.  This is sometimes impossible, because we don't know what the next release of DNN  will bring.  But in my expreriance if the DNN module is correctly integrated into DNN then upgrades to DNN seem to be painless (Not always the case, but exceptions always break the rule).  This leads me to think 4 things about your vendor:

1 - They've tested the application within the environment it exists in and believe no threats exists. (This is possible, depending on the structure, software changes and environment)

2 - They don't want to spend any money in testing an upgrade.(Hmm!!! say no more!!)

3 - They've change the DotNetNuke core in order to deal with your specific requirements (Not a bad thing if it's been dealt with correctly, hence upgrade may not need doing because the security issue are redundant or superceeded with their changes, but this would mean continual checking and could also be the reason they don't want to upgrade!!)

4 - The developer that did the original changes has left the company and they find themselves with a lack of DNN expertise (Could be a big worry!!)

In conclusion, you need to understaand why they can't upgrade? Their answers could give you the information you need.

Best of Luck,

Dave.