Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...DotNetNuke Security hole found by PowerDNN HostingDotNetNuke Security hole found by PowerDNN Hosting
Previous
 
Next
New Post
5/21/2008 10:22 AM
 
Glenn Martin

Joined: 7/9/2007
Posts: 14

Does anyone know anything about this?  I got an email from them at 2:45am this morning announcing that they had discovered a security flaw in DNN, and had applied a patch to all of their existing customers.  ...I have 3 sites with them, so I was pretty happy.  But I also have 1 DNN site not on their servers (not by my choice).  I ran their DotNetNuke Security scanner against it, and it showed that the other site did have the security flaw.

Here's the Security Scanner they have to look at any DNN site you have.
http://www.powerdnn.com/Security/tabid/287/Default.aspx
If you host with them, they've already fixed your site.  If you don't, and the scanner find the vulnerability, they will help you fix it for a modest $20 fee.

Does anyone know anything about this security hole?  Is there a general DNN patch for it yet? 

Below are the results of the PowerDNN Security Scan when run against my non PowerDNN site.

Any Website Viewer can Alter your web.config Hyper-Critical Details...
A security vulnerability in DotNetNuke exists that allows any website visitor to alter your web.config file.
Any Website Viewer can execute SQL Scripts on your Database Hyper-Critical Details...
A security vulnerability in DotNetNuke exists that allows any website vistor to run SQL commands against your DotNetNuke database. This can result in complete site corruption.

  When is a patch going to be available for this security hole?  I installed this site less than a month ago, with the latest binaries. 

 
 
New Post
5/21/2008 11:02 AM
 
Jeff Cochran


Joined: 6/3/2005
Posts: 2799

Ran the test and checked my server logs, and as far as I can tell all it did was access my site and check the DNN version.  Doesn't seem to actually do any penetration testing or other security testing.

Not sure what hole they're claiming, don't appreciate them charging a consulting fee instead of publishing the information.  Hopefully they at least reported it to the core team.

Jeff
 
New Post
5/21/2008 11:23 AM
 
Carlos Rodriguez

www.almacigo.com
Joined: 6/10/2003
Posts: 615

GMartin:

What version of DNN are you running?

Have you reported this to security@dotnetnuke.com?

Also, take the warnings with a grain of salt, modifying the web.config and running any SQL Script is not that easy if the server is setup properly and the admin/host accounts are not compromised.  I don't think there are any widespread security holes in DNN but you have to be careful with a misconfigured server, which they should be helping you with.

Carlos

 
 
New Post
5/21/2008 12:13 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

My guess is that this is an exploit in the core code, and with working with the DNN core team per the "security policy" they are not able to publish the fix.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/21/2008 1:46 PM
 
Penny Rand

Joined: 10/12/2005
Posts: 250

I contacted PowerDNN for help with this issue ( I have sites hosted with them but I manage other sites that are hosted by us). I just got off the phone with a technician and via LiveMeeting we were able to patch our sites quickly and easily. It was painless and yes it cost a bit but I will sleep well tonight knowing that I won't wake up to a hell job tomorrow!

PowerDNN is the best DNN host going!

I cannot say enough good things about them. They KNOW DNN and they love it. The only reason they would not publish this fix is that doing so would put at risk thousands of DNN sites. It's up to the core team to quickly come up with a fix and release a new version. If you are not running the most recent version you are AT RISK!
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...DotNetNuke Security hole found by PowerDNN HostingDotNetNuke Security hole found by PowerDNN Hosting


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out