Its been a long day and in the interest of transparency I think its only fair that I share all of the details so that the community can come to their own conclusions about what happened.
1. On Monday, PowerDNN believed they had discovered a security vulnerability in the DotNetNuke framework. They claim they then tried to send the details to the security@dotnetnuke.com alias; however, the DNN Corp email logs show no such evidence of this message reaching our servers.
>> Note: we were actively working on a seperate security incident over the past week and have used the security email alias extensively fot this purpose. There are 5 members of the DotNetNuke Security Task Force and nobody received any communication from PowerDNN.
2. On Tuesday, PowerDNN built a complete functional application which validates the security exploit. Although they never received any response from us related to their earlier security message, they do not bother to follow-up and attempt to contact us using any number of channels.
>> Note: Tony and John both have my personal cell phone number. Tony is on my IM list. My personal email address is posted publicly. Tony used to be a member of one of the DNN project teams. There are numerous ways which PowerDNN could have contacted us if they were so inclined.
3. Late Tuesday night, PowerDNN deployed a Security Scanner tool which claims to check a website for security vulnerabilities. It is supposedly intended for PowerDNN customers, but since it is publicly available, anyone in the community is free to use it. The scan instructs non-PowerDNN customers that they can pay a $20 fee to have the issue resolved.
>> Note: The security scanner simply tries to guess what version of DNN you are running based on the existence of certain files. Once it has made its educated guess, it cross references the version to our publicly posted list of past security issues on our Security Policy page. Since the tool is not intelligent enough to do a deep scan, it makes the (incorrect) assumption that a site is vulnerable and then asks the user to pay PowerDNN to fix it.
>> Note: PowerDNN asks for full FTP access to your site. In at least one verified instance, the only actual modification they make to the site, is the deletion of one file. Deleting the file may deal with the immediate risk, but does not represent an actual solution to the problem. I assume that because PowerDNN does not have the expertise or the ability to fix the problem themselves, that they planned to share exploit details with us at some point so that we can include a proper solution in an upcoming release.
>> Note: PowerDNN still has not taken down the scanner tool, even though they have received numerous requests to do so. The problem with the scanner is that it can be used by malicious hackers to sniff the DNN version of a site and determine the exploits which can be attempted. the existence of this tool poses a major security threat to the community and PowerDNN continues to inflict damage with every passing hour that it remains operational.
4. Last Tuesday night, PowerDNN sent out a general email to all of its customers titled "CRITICAL SECURITY NOTICE" as well as posts a general press release on its website ( which is still active as we speak ). DotNetNuke Corporation begins receiving email inquiries almost immediately asking if the claims are substantiated. At this point we have heard nothing about the security issue; therefore, we respond that PowerDNN should follow our standard security policy and submit the details of the exploit immediately.
>> Note: Prior to communicating security information to customers, I think it may have been a good idea to actually communicate with the owners of the platform first. Then, we would have had a proper response for these customers. Instead, we basically had to tell them that PowerDNN was not behaving professionally and that perhaps they should be investigating other hosting provider options.
5. On Wednesday morning, users who have become aware of the PowerDNN press release begin to post their questions to the forums on dotnetnuke.com, asking if the security issue is valid. Again, we are left with no choice but to explain that PowerDNN has not yet contacted us. The whole experience begins to go from bad to worse.
>> Note: With the Core Team, Module Developers, Skinners, System Integrators all affected by PowerDNN's poor judgement, they begin to feel the wrath of a scorned community. Significant damage is done to PowerDNN's reputation as a leading hosting provider for DNN. It is unfortunate that an incident such as this can erode the good will which has been created over time.
6. PowerDNN defends their position in the forum by explaining that they felt an obligation to protect their customers. The problem is that their inexperience in dealing with security matters and their limited focus on just their own customers results in a larger risk to the entire DotNetNuke community.
>> I think that with their very limited security knowledge, PowerDNN tried to keep the actual details of the security issue confidential. The problem is that once they started charging $20 for patches, some of these customers were savvy enough to do a basic snapshot comparison of before and after and look for differences. Now, this type of activity happens everytime we do a security release; however, the difference in this case is that DNN Corp has not had adequate time to assess the issue, construct a solution, package a release, test the new version, etc... So basically, PowerDNN has naively put the DNN community at risk.
7. Wednesday afternoon, I call Tony Valenti directly by telephone and he explains the security issue to me. This is the first I have heard any details and he offers to send me the full instructions on how it can be exploited. We receive an email at the security@dotnetnuke.com alias shortly thereafter which contains a package detailing the exploit.
>> Note: I am not sure why Tony took the position that someone from DNN Corp had to reach our to him first. In almost every other security incident in the past, the third party has come to us with full intentions of cooperating. The hesitation from PowerDNN in this case seems to indicate that they were more interested in collecting the $20 per user rather than working with the best interests of the community in mind.
8. Wednesday night - we have verified that there is indeed an issue. However, our first revelation was that it does not allow an anonymous user to execute arbitrary SQL scripts or make arbitrary changes to the web.config, as was claimed in the PowerDNN security advisory. This lowers the risk assessment considerably. We have already come up with a code change which should solve the issue permanently and will include it in a 4.8.3 core release. Please be patient as we work through our standard security process for the benefit of the community.
In summary, it appears that a combination of inexperience, greed, and impatience resulted in the perfect recipe for disaster today. I hope tomorrow will be a better day.