Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?
Previous
 
Next
New Post
5/22/2008 2:55 PM
 

I have spent an hour reading the threads around this site to catch on the situation. Hopefully everyone can learn from this and keep DNN the best Open Source alternative out there - as well as being as safe as is possible.

Just one thought - there has been discussion about how the Security Scanner exposes the DNN version of a website (along with some general info on possible threats) and someone could use this information to exploit security holes in earlier versions if they have not been patched.

I noticed on one site of my own that the DNN version was publicly displayed in the title when surfing to my site:
"My Website -> Start (DNN 4.1.1)" in this case. (Yes, it is an old site that I have neglected and not updated to latest versions due to 3rd party modules).

I am not sure everyone is aware of this and that you need to turn of the "Display Copyright" option in Host settings to hide it from public view. This version detection is more accurate than the Security Scanner... I am not sure if this problem only exists on old DNN versions or if it is connected to the skin applied? Anyway - you better check your sites just in case... And perhaps consider upgrading once 4.8.3 is out...

/S

 
New Post
5/22/2008 3:26 PM
 
One must admit this is a bright move. Putting the scanner publicly available online is the best thing one can do to map world wide DNN installations. Isn't that the wet dream of a dedicated DNN hosting company coming true? No wonder it is still online in spite the flaming.

Yehuda Tiram
AtarimTR
AtarimTR
972-2-5700114   |   972-54-4525492   |    http://www.atarimtr.co.il
 
New Post
5/22/2008 3:26 PM
 

Sölve Dahlgren wrote

I have spent an hour reading the threads around this site to catch on the situation. Hopefully everyone can learn from this and keep DNN the best Open Source alternative out there - as well as being as safe as is possible.

Just one thought - there has been discussion about how the Security Scanner exposes the DNN version of a website (along with some general info on possible threats) and someone could use this information to exploit security holes in earlier versions if they have not been patched.

I noticed on one site of my own that the DNN version was publicly displayed in the title when surfing to my site:
"My Website -> Start (DNN 4.1.1)" in this case. (Yes, it is an old site that I have neglected and not updated to latest versions due to 3rd party modules).

I am not sure everyone is aware of this and that you need to turn of the "Display Copyright" option in Host settings to hide it from public view. This version detection is more accurate than the Security Scanner... I am not sure if this problem only exists on old DNN versions or if it is connected to the skin applied? Anyway - you better check your sites just in case... And perhaps consider upgrading once 4.8.3 is out...

/S

4.8.x removed the version from the copyright credits as well, so even with the option selected it will not be an issue.


-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/22/2008 3:39 PM
 

Yehuda Tiram, wrote

One must admit this is a bright move. Putting the scanner publicly available online is the best thing one can do to map world wide DNN installations. Isn't that the wet dream of a dedicated DNN hosting company coming true? No wonder it is still online in spite the flaming.

 

Google does a much better job at it, it's not that hard to locate DNN installations if you know what to search for.


Affordable DotNetNuke Hosting Affordable DNN Hosting & Support - www.ihostasp.net
Slavic Kozyuk
IHOST, LLC
Call toll-free: 1.800.593.0238
 
New Post
5/22/2008 3:49 PM
 

I just wanted to let everyone know that the 24 hours has been extremely busy but the scanner is taken down.  We were trying to rush out the new version with many of the changes recommended by Chad and Mitch implemented, but time was ticking so the scanner has been taken down.  The next version will require authentication to do scans.  In the future, we will continue to patch security vulnerabilities as we find them.  However, we will more carefully disseminate information going forward.  My main concern is with the core not classifying this as critical.  We run a business, and our revenues come from our web site, many of our customers are in the same boat.  When an overlooked piece of code can be exploited to blow away your entire site without having any sort of access, that is very serious.  I catagorically disagree with the recent assertion that this was fear based marketing and that the bug is not critical.  It may not be critical under the core team's security guideline's, but when you are a service provider downtime is untolerated for mission critical websites.  We gave the core all of our information 24 hours after patching our customers, I refuse to let us or any other honest DNN company be punished for offering a service to anyone running a DNN site.  This is what is great about the DNN ecosystem, we can offer all these products and services because the market will bare the cost.  If there is a demand there, it is our job as DotNetNuke vendors to satisfy that demand.  We apologize as a company for how the information was made public so rapidly,  it was never our intention to cause such commotion.  Still, moving forward, we will continue to push the envelope with DNN whether it's offering high end services, security updates, extensions, or optimizations. 

 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out