Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?
Previous
 
Next
New Post
5/22/2008 1:29 PM
 

In the meantime while PowerDNN tries to generate consulting revenue from their scanner, you can avoid the extortion and protect your DNN web property by using the following technique:

1. Login to your site using a Host account.
2. Select Host / File Manager from the navigation menu
3. Select each file which has a filename in the format of ##.##.##.txt ( ie. 04.08.02.txt )
4. Select the Delete Files option and Confirm
5. Since there may be multiple pages of files, repeat until all of the ##.##.##.txt files are removed.

Once you have completed the above steps, the scanner will report:

Verified website as a DotNetNuke Website.
Your DotNetNuke Version is between and 0.0.0.
 
There are no security vulnerabilities in your website.
You may now quit this wizard.

Please note that the above steps do not actually solve any security issues. Instead, they prevent hackers from determining what version of DotNetNuke you are running and potentially exploiting your site. It also prevents the general public from viewing False Positive security reports about your site and losing confidence in your business. To properly address security issues, you need to regularly follow the Security Policy page and try to keep up with the latest product releases.

It is unfortunate that PowerDNN's lack of cooperation has led to public discussions of this nature. I sincerely apologize.


My comments are my own and are offered WITHOUT PREJUDICE

Shaun Walker
http://www.siliqon.com
 
New Post
5/22/2008 1:43 PM
 

This whole episode is just plain sad.  One would have to think that PowerDNN has a bone to pick with DNN Corp.  Making a vulnerability scanner available on-line puts the entire community at risk.  Completely and totally irresponsible and unprofessional in my books.  PowerDNN - please take that utility off-line and fight your battles without involving the entire DNN community...

 
New Post
5/22/2008 1:48 PM
 

Dan Caron wrote

And you are taking this lightly.  And I can see why.  I tracerouted to your site, and I can see that you are hosted with PowerDNN.  So, you are patched. 

I'm not saying PowerDNN's sites aren't patched by any means, but I think Chads recent post and Shaun's workaround may raise some questions in this area.



Alex Shirley


 
New Post
5/22/2008 2:38 PM
 

I see your points Dan.

Based on my past experience with PowerDNN I'm somewhat bewildered as to why the security tool is still up - unless there is more to the story we're not aware of maybe? I don't know. This whole thing is seriously messed up and doesn't fit at all with my perception of PowerDNN.

Greg

 
New Post
5/22/2008 2:49 PM
 

The "scanner" tool problem can be resolved at the ISP firewall level by blocking PowerDNN endpoint. As I have stated in my prior posts, this tool is designed to mislead the average DNN user, to scare them in to subscribing to their service or give an impression that DNN is flawed without PowerDNNs help. We have received several frantic phone calls from our customers yesterday before we blocked the PowerDNN “scanner”, these people were questioning the viability of DNN because of the PR stunt PowerDNN has pulled. Furthermore, they justify this action by the need to protect their customers, my question is who gave them the authority to patch our customer sites hosted on our servers or sites hosted with any other hosting provider with their hack-patch?  I think this is unethical behavior, and is equivalent of someone screaming “bomb, bomb” in a busy mall to get ahead of the line.

We host several large government and political election campaign DNN sites, these people do not like to be jerked around like that, neither do we. In the future, I hope they do not publicly issue home brew patches outside of their own network.

If PowerDNN wants to compete in the hosting market, this is certainly not the way to do business. PowerDNN is not the only DNN host, nor are the authority on how DNN should be hosted or maintained. Leave the DNN patching and maintenance to people that know what they are doing and have community best interest in mind.


Affordable DotNetNuke Hosting Affordable DNN Hosting & Support - www.ihostasp.net
Slavic Kozyuk
IHOST, LLC
Call toll-free: 1.800.593.0238
 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is DotNetNuke.com Insecure?Is DotNetNuke.com Insecure?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out