Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?
Previous
 
Next
New Post
5/21/2008 6:19 PM
 

Joined: 1/1/0001
Posts: 0

I think one mistake we made was offering the patch to the public, which we thought was helpful.  We should have limited it completely to PowerDNN customers but the word still would have got out and we would have had the exact same compaints.  The fact of the matter is that this is an open source piece of software.  In every open source platform there are always critical bugs that the users usually have to wait until the next release for.  Enterprise users require quicker updates and are willing to pay for it.  When you are a PowerDNN customer you are getting  premium service and support for an open source platform, and you pay for it.  If there is a demand for a service, it is our job as business managers to accommodate that demand.  I agree that we should have waited on offering this to non-PowerDNN customers, but the fact of the matter is that there was A LOT of people willing to pay the small price to secure their site.  We are one of the few companies out there who employs an intensive DNN training program for all employee's and specialized only in DNN.  This allows us to focus our our dedicated resources on securing, optimizing, and extending the product we support.  This is what enterprise customers want, and they will pay for it.  We should not be criticized for meeting these demands to grow our DNN based business.  DotNetNuke is our entire business and we love it, and we will always push the envelope and offer the largest selection of business critical DNN services.
 
New Post
5/21/2008 6:51 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

John,

no, your main issue was first to think about your business and second about making money. This totally lacks responsibility towards the OS product and the community you built your business on.

As Brandon Haynes stated before: 
> Free business advice to PowerDNN:
>Cost of community-wide PR disaster > $20 * COUNT(Panicked Webmasters)

Hope you will get it, I am really disappointed about this experience.

 

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
5/21/2008 7:17 PM
 
Alex Shirley


Joined: 1/30/2006
Posts: 5038

Plus John you have a tool that "will scan your DotNetNuke website for numerous security vulnerabilities".

Forgive me if I'm wrong (please correct me!)... but well from what I have read, all it does is find out what DNN version you have and check that against a database of known issues. I guess technically you can call this is scan, but it's hardly comprehensive, how would it detect a website that had these issues already fixeded/patched by means other than a full build? Why don't you just say it produces a report of known issues just by detecting which version of DNN you have?

In fact it would be a pretty cool tool if done in such a way that avoids such a public display and quick bucks. Maybe you could have distrubuted an internal module that gets installed on the site to be scanned, that allows the scan to take place reasonably securely (i.e. only the module is allowed to call the service up via host account, which compares a public and private key being distributed between sites). You could then get money for this service provided you told people exactly what you were doing here as you may be saving people time they don't have.

I still hope you can come clean with everything so it can all be put behind. I think everybody recognises that they all make mistakes..... It's also great damage limitation.

Alex Shirley
 
New Post
5/21/2008 7:17 PM
 
Will Morgenweck


bit.ly/WillsBlog
Joined: 1/4/2006
Posts: 501

JohnGrange wrote

I think one mistake we made was offering the patch to the public,

 

I was thinking it was not making sure that DotNetNuke was 100% aware before posting a press release on your home page offering a "Let me find a DotNetNuke site to hack tool".

 

The fact of the matter is that this is an open source piece of software.  In every open source platform there are always critical bugs that the users usually have to wait until the next release for.  Enterprise users require quicker updates and are willing to pay for it.  When you are a PowerDNN customer you are getting  premium service and support for an open source platform, and you pay for it.  If there is a demand for a service, it is our job as business managers to accommodate that demand.

Since PowerDNN found the exploit and knew the full details, I would think that you could have put request filters in place to block the exploit instead of PowerDNN exclusive patch.    

 

I agree that we should have waited on offering this to non-PowerDNN customers, but the fact of the matter is that there was A LOT of people willing to pay the small price to secure their site.  We are one of the few companies out there who employs an intensive DNN training program for all employee's and specialized only in DNN.  This allows us to focus our our dedicated resources on securing, optimizing, and extending the product we support.  This is what enterprise customers want, and they will pay for it.  We should not be criticized for meeting these demands to grow our DNN based business.  DotNetNuke is our entire business and we love it, and we will always push the envelope and offer the largest selection of business critical DNN services.
 

Personally, I think you are being criticized for turning a negative situation for the community a into a rewarding experience for PowerDNN.

Getting back to your security scan tool, you really should reconsider the public availability.  Since you are asking for a fee, it could be considered false representation under some circumstances.  A better idea would have been to make this a free module, sponsored by PowerDNN, that did a true scan.  See the screens below to see how your scan tool can provide false results. 

 





Will Morgenweck
VP, Product Management
DotNetNuke Corp.
 
New Post
5/21/2008 8:20 PM
 
Slavic Kozyuk

www.ihostasp.net
Joined: 5/18/2005
Posts: 140

The so called "scanner" probes DNN upgrade log files in /Portals/_default/ folder and attempts to guess the version of DNN target domain is using. Once the version number is guessed, they simply list all known vulnerabilities for that particular DNN version range. This "tool" has no capability of detecting particular threats and does not have ability to correctly determine the actual DNN version it is scanning with 100% accuracy.

As a hosting provider ourselves, we view this as nothing more than a scaremongering attempt aimed to cause wide spread panic among DNN webmasters especially those that are not using PowerDNN. The value of this tool is marginal to none, however the PR stunt is superb.

Below is the IIS6 log of actual activity this “scanning” tool causes on the server:

2008-05-21 22:56:31 GET /KeepAlive.aspx - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 594 85 156
2008-05-21 22:56:31 GET /Portals/_default/00.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.00.08.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 38108 76 171
2008-05-21 22:56:31 GET /Portals/_default/03.00.12.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 2010 76 78
2008-05-21 22:56:31 GET /Portals/_default/03.01.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 357 76 31
2008-05-21 22:56:31 GET /Portals/_default/03.02.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1302 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.02.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 340 76 31
2008-05-21 22:56:31 GET /Portals/_default/03.03.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1835 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.03.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:31 GET /Portals/_default/04.03.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 429 76 31
2008-05-21 22:56:31 GET /Portals/_default/04.05.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1184 76 46
2008-05-21 22:56:31 GET /Portals/_default/04.05.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 73611 76 140
2008-05-21 22:56:31 GET /Portals/_default/04.06.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:31 GET /Portals/_default/04.07.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/04.08.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/04.08.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/04.08.02.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/04.08.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.02.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.04.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.05.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.01.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/10.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31

If you are a DNN hosting service provider and are concerned about your clients sites being "scanned" by this tool for malicious purposes, block following IP ranges at the firewall:

216.58.224.0 - 216.58.255.255
216.58.236.1 - 216.58.236.63

This IP range belongs to COSENTRY.NET a datacenter service provider PowerDNN is using to collocate their servers.

 

Affordable DotNetNuke Hosting Affordable DNN Hosting & Support - www.ihostasp.net
Slavic Kozyuk
IHOST, LLC
Call toll-free: 1.800.593.0238
 
 Page 2 of 12
Previous123...12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out