Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?
Previous
 
Next
New Post
5/21/2008 5:41 PM
 
Michael Washington


Michael Washington's Avatar

www.LightSwitchHelpWebsite.com
Joined: 7/17/2004
Posts: 3526

JohnGrange wrote

I think people are also misunderstanding the situation in a number of ways. 

John stop. Please. I am guilty of trying to get the patch for free (because I provided free advertising for PowerDNN on my site). I was assuming security@dotnetnuke.com was working on the issue but did not release a patch yet. I saw an opportunity to "get my sites fixed now" and I took it. I was wrong (the only reason I did not get my sites patched was because PowerDNN wanted FTP access to my site).

Just admit PowerDNN made a mistake and refund any money you took. If you do that I think the "community" can find forgiveness.


Michael Washington
http://ADefWebserver.com
www.ADefHelpDesk.com
A Free Open Source DotNetNuke Help Desk Module
 
New Post
5/21/2008 5:45 PM
 
Pat Cummings

Joined: 7/23/2003
Posts: 64
PowerDNN:
I guess I do not understand why a vulnerability would be posted to a public site before a fix is applied.
 
Generally a good process to use is to fix the issue first then post the details. I understand you need to help your customers, however posting and making the vulnerability public creates another problem.
 
I could care less about someone charging for a fix. It’s the process of notifying the public that a vulnerability exists and that some systems are affected. On top of that a person can check whether another remote system is affected and proceed to target.
 
I think that’s the crux of the contention you are hearing from the community.
 
I think you should remove any posting and or tools from your public site until a fix is sent to the general public. What is your answer to this?
 
New Post
5/21/2008 5:45 PM
 
Scott Willhite


alkihomes.com
Joined: 4/11/2003
Posts: 3047

Pursuant to our forum policy, I am locking this "announcement" thread.  Please feel free to continue this convesation in one of our more conversation oriented forums so that our announcements may remain timely.

Kind Regards,
Scott

Scott Willhite, Co-Founder DNN

"It is only with the heart that one can see rightly... what is essential is invisible to the eye. "
~ Antoine de Saint-Exupéry
 
New Post
5/21/2008 5:49 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

Alex Shirley wrote

Not only are there apparent vulnerabilities with sketchy details, but we now have a site that allows Tom, Dick, Harry, everybody else, and their dog to look at the security issues of everyone’s DNN website in mere seconds. IF indeed the website actually scans and checks for vulnerabilities rather than just anticipate them?... and all of us dance around like headless chickens :). In this case I think we are entitled to, that is because we don't exactly know the impact, because rightly or wrongly we assume the worst, and because the cat was out of the bag before the solution was made available. Plus there is a tool that apparently allows me to know that YOUR website is effected.

Alex,

as far as I understood, the "Scan" simply retrieves the installed DNN's version number and issues a list of potential security risks, I did run it against a customers site, which is not affected by previous issues due to its configuration (like being a single portal installation with host = admin, i.e. no risk of the admin gaining host permission) and the service listed the two assumingly identified new issues as all published security bulletins issued by DNN since that version (even if affecting later versions solely). To me, this scan does not really sound like a valuable service and, since noone had the chance to validate the changed code applied to the site, you cannot be sure that a) it fixes the issue and b) does not harm or damage your portal software. I would be very careful with accecpting any service like this.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
 Page 13 of 13
Previous123...1213 
Previous
 
Next
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out