Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...onyaktech hacked.onyaktech hacked.
Previous
 
Next
New Post
6/26/2006 6:05 PM
 
Rodney Joyce


www.pokerdiy.com
Joined: 4/28/2004
Posts: 2796
Hmmm - I wish the owner of said component could confirm if this was the case - would be nice to know if this was the vulnerability affecting high-profile DNN sites.

Chris - could you perhaps confirm if this was or was not the case with your website here? Would allay some fears...

Thanks

Entrepreneur

PokerDIY Tournament Manager - PokerDIY Tournament Manager<
PokerDIY Game Finder - Mobile Apps powered by DNN
PokerDIY - Connecting Poker Players
 
New Post
6/26/2006 6:18 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

With respect, I think Chris has more pressing problems than replying to this thread.

However, I've done some further checking and can confirm that the problem is with the 3rd party component that I suspected. As the alert went out nearly 2 months ago, I can only assume that the mail got caught in a spam filter, and that he also missed the various other blog and email posts.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
6/26/2006 6:44 PM
 
brian

Joined: 1/22/2004
Posts: 793

then since it was blogged, posted, emailed...   why can you not mention it?

something...  as the risk is very high obviously.

 

I know what it is..  just not going to say so..
 
New Post
6/26/2006 7:08 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

It's simple good practice - detailing the component in a public forum whilst the site is still vulnerable is virtually an invite to people to try the hack.

It not that I can't mention it, it's that I won't until Chris has had a chance to fix his site. I expect many people to already know what it is, I just choose not to discuss it publically at this time. Frankly I debated removing this thread to give him more opportunity to fix it, but I felt it better to have a public thread that would stop people being afraid that there was a dotnetnuke issue.

Cathal

 

 

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
6/26/2006 7:59 PM
 
Johnny Smaction

Joined: 6/8/2006
Posts: 2
I have been watching this incident for a while now and it seems to be getting worse not better. Go to Zone-h.org and search  the defacement archives under "access violation". That is practically all that access violation has been hitting for the last two months (ever since nobody coder shared it would be my guess). I was completely new to DNN until this incident brought me here; A 3rd party client contacted me to find out how his server got defaced and I discovered the vulnerability. I was able to find quite a few vulnerable sites with a simple Google search (I did contact the site owners to make them aware of the situation). Unfortunatley this is not being used just for defacements, I have seen shell code and password stealing code on some of the sites I worked with and the sites were never defaced. This incident is being reported in the security community as an "unspecified" DotNetNuke Vulnerability, not the 3rd party module vulnerability which it is. So like it or not Cathal you are the focal point of this debate because the vunerability has been (incorrectly) associated with your product. You may want to consider sending an email clarifying the situation to places like zone-h.org, securitytracker.com, and qualsys.com to put some distance between the 3rd party publisher and DNN. The exact details of this vulnerability are already out, it just has not gotten very much attention yet.
 
 Page 2 of 3
Previous123Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...onyaktech hacked.onyaktech hacked.


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out