Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?
Previous
 
Next
New Post
5/22/2008 4:16 AM
 
Alex Shirley


Joined: 1/30/2006
Posts: 5038

9. Thursday. PowerDNN changes the functionality of their "security scanner". They rename the first button to click from "Next" to "Submit Order". However the instructions still state "Please press Next to continue the wizard." and we see no actual change in functionality.

Tony Valenti wrote
the proof of concept application that we gave the DotNetNuke core team demonstrated a catastrophic, unrepairable destruction of a DotNetNuke website. 

I'm sorry but this does not sound like the mild mannered tones of a security expert. In fact I'm very surprised that capital letters were not used.

Alex Shirley
 
New Post
5/22/2008 4:36 AM
 
Peter Donker


Peter Donker's Avatar

Peter Donker's Avatar

Peter Donker's Avatar

www.bring2mind.net
Joined: 12/1/2003
Posts: 714

Tony Valenti wrote

Although the message above seems to have marginalized the two security issues that we have reported, the proof of concept application that we gave the DotNetNuke core team demonstrated a catastrophic, unrepairable destruction of a DotNetNuke website.  The actions required no user accounts, no special roles, no privilege escalation - just regular access to view the site.

@Tony: I'd stop fighting this out in public.

@Shaun: Thanks for dealing with this in such a swift and professional way.

@All those that are worried: DNN has a solid mechanism for dealing with vulnerabilities. I've argued in articles and presentations that because of this and the fact that O/S means 'many eyes', we can consider the platform to be more safe than others. Of course there is no piece of software that can claim it has no holes. The best solution is to have a good 'reporting and fixing' procedure in place. DNN has this. The dispute about this incident is not about whether DNN is safe but about the procedure that was followed.

My 2cts on this: I know PowerDNN to be enthusiastic and knowledgable supporters of the DNN platform and I'd happily recommend them. The procedure they followed did not follow the DNN guidelines and they're being chastized for it. Well, everyone screws up once in a while. So be it. Unfortunately they also brought the suspicion upon themselves that they were trying to benefit from loopholes in DNN. This is not easily erased. I wish them luck with that.

Peter

 

Peter Donker
Bring2mind http://www.bring2mind.net
Home of the Document Exchange,
the professional document management solution for DNN
 
New Post
5/22/2008 7:54 AM
 
Vitaly Kozadayev


Joined: 12/11/2003
Posts: 1112

I'll second Peter's opinion.

In PowerDNN defense, howere, I'd like to add the following:

My company has been hosting with PowerDNN for almost a year now and all I can say is - 100% excellent service and powerful machinery. The sites we operate are up 100% (as close to 100% as it is ever possible, of course). And service is simply impecable.

I assure you that our company  has experience with at least 10 other host providers thanks to some of our we-know-better clients. Each and every one of those lack some feature that PowerDNN has.

We all do stupid things and make ridiculous moves from time to time. Even politicians with an army of advisors make fatal statements and harmful PR decisions.

Let it be a good lesson for all of us. And post the DNN numbers & emalis on your fridge...  Just in case... :)

Vitaly Kozadayev
Principal
Viva Portals, L.L.C.
 
New Post
5/22/2008 9:39 AM
 
Charles Nurse


Charles Nurse's Avatar

Charles Nurse's Avatar

Joined: 2/9/2004
Posts: 3652

I would echo Peter and Vitaly's comments.

PowerDNN screwed up big-time yesterday - but they have a history of being good DNN citizens and supporters. 

Everyone is entitled to make a mistake. None of us are perfect, although we would like to think we are. 

Let's give them time to make ammends, and show that they have the best interests of DNN as a product at heart - after all a hoster dedicated to DNN and only DNN needs DNN to survive in order for their business to survive.

Charles Nurse
Chief Architect
Evoq Content Team Lead,
DNN Corp.

Want to contribute to the Platform project? - See here 		MVP (ASP.NET) and
ASPInsiders Member
View my profile on LinkedIn
 
New Post
5/22/2008 10:07 AM
 
Penny Rand

Joined: 10/12/2005
Posts: 250

I'm glad to see the tone moderate a bit, really I think the speculation that Power DNN is getting rich off of this is way out there. I spent at least an hour on the phone with Tony and I'll bet he makes more than $20 per hour. PowerDNN is a reliable, responsive hosting provider, like no other I have had dealing with. I personally appreciate that they go the distance for thier customers and that will keep me as a customer. Laying blame doesn't get us any farther down the road, let's move on and keep DNN marching ahead. Yes PowerDNN could have done better, and yes I have sent email to Dotnetnuke requesting information and never heard back from anybody. It does happen that email goes into a black hole sometimes.

In the coming days, weeks, I think we will see revealed the full threat that is out there.
 
 Page 4 of 12
Previous12345...12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out