Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN Security HotfixPowerDNN Security Hotfix
Previous
 
Next
New Post
5/23/2008 6:55 PM
 
Charles Nurse


Charles Nurse's Avatar

Charles Nurse's Avatar

Joined: 2/9/2004
Posts: 3652

Bill Yonder wrote

In another post, charles said this issue has existed for 12-18 months!  I would expect that with something that has been around that long that they would already have an official patch. 

Being around for any period time does not mean we were aware of it.   The point we were making is that it was not a serious enough issue to go publicising it so widely without informing the deveopers of the software of the issue.

We take ALL security issues seriously - the problem with this is issue is that it was made public without any thought to the consequences, leaving us to deal with the backlash.

How would you like it if your neighbour put a sign outside of his house - saying - "I have a security system, but look on the back of this sign and you will see a list of all the houses in the neighbourhood that don't".

Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here 		MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
5/23/2008 7:23 PM
 
ROB AX

Joined: 9/3/2004
Posts: 2185

Bill Yonder wrote

When is that going to be?  Today?  Next week?  Next month?  Any ETA at all?

Bill

The whole point of the PowerDNN Security Scammer was that you can pay them to fix it for you and alleviate the fear that they so purposefully generated. I'm sure they'll still be perfectly happy to sort it out for you if you can't wait.

Rob
 
New Post
5/23/2008 7:50 PM
 
Shaun Walker


Shaun Walker's Avatar

Shaun Walker's Avatar

www.siliqon.com
Joined: 5/27/2002
Posts: 1778

I think there is a misconception in the community at the moment. What PowerDNN has referred to as a "patch" or "hotfix" for their customers is actually not a solution at all. Instead, it was a way of preventing a hacker from exploiting a security hole. In order to do this, PowerDNN simply removed some key functionality from all of their customer sites (ie. they deleted some files which provide some key content management functionality ). When they eventually reported the issue to us, it was in the form of an application which could be used to demonstrate the exploit. It was not a solution to the problem. PowerDNN offered no solution and instead relied on us to figure out the appropriate solution, implement it, test it, etc... Unfortunately, they gave us no actual time to accomplish this before they released a public press release announcing their findings. I have been quiet today as we focussed on solving the security problem. A 4.8.3 security release has been created. It solves the 2 issue which PowerDNN reported as well as another more serious security issue which was reported to us through proper channels ( and which PowerDNN as well as their customers are currently susceptible to ). Once we have the opportunity to run a few more tests, we will be making the 4.8.3 security release available to the entire community. I will not be making any more forum posts about this topic until this occurs. Thank you for your patience and professionalism.

My comments are my own and are offered WITHOUT PREJUDICE

Shaun Walker
http://www.siliqon.com
 
New Post
5/23/2008 8:32 PM
 
Michael Gerholdt


Joined: 6/17/2003
Posts: 763

Bill Yonder wrote

When is that going to be?  Today?  Next week?  Next month?  Any ETA at all?

Bill

 

Good Golly Miss Molly Bill Yonder -

Give it a break. Obviously they're workin' on it.

Our good friends in DNN core-ville are maybe not so good at controlling themselves when their blood's up and someone's done them wrong ... but they have an excellent track record when it comes to getting the technical job done. And the "policy and procedure" side has matured nicely. I find the comment about a 'known' issue for 18 months rather disconcerting, too, but hey ... Let them be and let's move on. We can look for answers to that one after the dust has settled.

At this level, you don't just slap a couple-three lines of code into a procedure and throw it out to the public. Regression testing takes real time. Be thankful they are willing to spend that time in spite of those who clamor for immediate gratification ... nobody's perfect, but they do know what they're doing.

DNN core: I suggest that you identify a media spokesperson - someone who is good at the language, good with people, and who will act as the 'mouth' of DNN core in situations like this. Not to muzzle all the rest of you, and certainly we do want to know what you all think - it's great and instructive reading, and very important information besides  - but in the midst of the situation, it is NOT helpful to have everybody putting out equally official or non-official statements ... let one person or one small team handle the PR. AS LONG as they provide good, substantive and frequently released information ... we'd probably all benefit.

It's probably an inevitable step in the maturity curve anyway. Would have stood us in good stead though this debacle.

pmgerholdt
 
New Post
5/23/2008 9:20 PM
 
Will Morgenweck


bit.ly/WillsBlog
Joined: 1/4/2006
Posts: 501

Michael Gerholdt wrote

 Bill Yonder wrote

 

When is that going to be?  Today?  Next week?  Next month?  Any ETA at all?

Bill

 

 

Good Golly Miss Molly Bill Yonder -

Give it a break. Obviously they're workin' on it.

Our good friends in DNN core-ville are maybe not so good at controlling themselves when their blood's up and someone's done them wrong ... but they have an excellent track record when it comes to getting the technical job done. And the "policy and procedure" side has matured nicely. I find the comment about a 'known' issue for 18 months rather disconcerting, too, but hey ... Let them be and let's move on. We can look for answers to that one after the dust has settled.

Instead of assuming the worst, we should just take a little more time to understand exactly what was said.  Charles never said it was a "known" issue for 18 months.  He said it existed.  There is a big difference.  PowerDNN was the first to find the exploit, there is no disputing that fact.  I believe the point that Charles has been trying to make is that the code that introduced this issue was created many months ago.  This means that it has been in the application for several releases.  I believe Shaun has also stated, that even though this issue was present, DotNetNuke still passed numerous third-party security audits. 

Why is it so difficult to understand that had this been handled properly, it would still be business as usual for the DotNetNuke Community.  We all would have been properly patched and probably sooner had the Core not had to deal with all this chaos, or even better, notified promptly. 

Will Morgenweck
VP, Product Management
DotNetNuke Corp.
 
 Page 4 of 5
Previous12345Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PowerDNN Security HotfixPowerDNN Security Hotfix


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out