Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?
Previous
 
Next
New Post
5/21/2008 2:24 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

I just sent the following e-mail to PowerDNN.

Tony,
 
Thank you for the opportunity to speak with you this morning regarding the issues you folks have identified with the DotNetNuke core, and I hope that the apparent communication issue with the security team at DotNetNuke Corporation can be resolved.  However after looking around a bit I have a major concern regarding your security checking tool.
 
With this tool being publicly available and displaying results for ANY site, and any of the known issues with this and previous versions of DotNetNuke it poses a major security risk for anyone with a DNN site.  Typically it is not easy for a person to quickly identify which version of DNN a site is on, and now a malicious user could use this tool to identify open points on any site, and if they know about the old issues could use this information to quickly target sites.
 
Don't get me wrong I like the tool, but I think that some additional security constraints should be put in place to prevent any user from viewing the information.  Possibly e-mail the results to an e-mail address on the same domain or something.  Just a way to limit the free open access to this information.
 
I appreciate your time and consideration in both identifying the security issue and making the tool available for users and the eventual securing of that tool.
-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/21/2008 2:28 PM
 
Adski

Joined: 3/23/2007
Posts: 27

Looks like even dotnetnuke.com has an issue:

PowerDNN Security Scanner

Please enter the full URL to your website below, such as:
https://www.Example.com/DNN/
http://www.DotNetNuke.com/
URL:

Verified website as a DotNetNuke Website.
Your DotNetNuke Version is between 4.8.2 and 4.8.3.

 

Security Report
Any Website Viewer can Alter your xxxxx Hyper-Critical Details...
A security vulnerability in DotNetNuke exists that allows any website visitor to alter your xxxxxxxx
Any Website Viewer can xxxx Hyper-Critical Details...
A security vulnerability in DotNetNuke exists that allows any website vistor to run xxxx. This can result in complete site corruption.


Your website has critical security issues.
Using follow pages, you can hire PowerDNN to resolve them for you.

Because you are not a PowerDNN customer,
there will be a one-time charge of $20 for this consulting.
 
New Post
5/21/2008 2:35 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

JohnGrange wrote

Hi Guys,

When we discovered this vulnerability, it was found to be such a critical issue that we were compelled to secure our customers right away.  Our first responsibility is always going to be to make sure that PowerDNN customers are running high performance, secure, DNN installations.  Our customers have been overwhelmingly thankful for the hard work we've done to secure their sites.  Our team is putting together an official report which we will release to the community, it is important that everyone is aware of the issue.  We have been in contact with certain members of the core team as well as many of the top vendors in the community.  In terms of the $20, we could take that away but then we wouldn't be able to patch non-PowerDNN customers in any way that would be financially feasible.  If we got rid of the $20 charge, we could scan your site but not perform any fix.  This issue effects so many sites that we want to protect community by releasing the information in a thoughtful way.  We will get the information out via the normal DNN channels, but, we view this issue as being critical enough that waiting until the next release of DNN is not sufficient and we were compelled to take action immediately.  I hope this clears some things up for some people, we take issues like this very seriously, because like most of you, we love DotNetNuke and it is our livelyhood. 

John Grange

John,

Thanks for the additional information and clarification regarding the process you went through.  However, in my opinion as good DNN community citizens, even if working through a fix on your own it would have been best to get DNN involved from the get go, using the standard DNN channels (security@dotnetnuke.com to be specific). 

By delaying the involvement of the core team and releasing a notice on your site and a mass e-mail to your customers a sort of wide-spread panic was created and the core team was not given the proper time to address the issue before widespread community concern. 

Regardless from the sounds of this it is a major issue and I believe most will agree with me that the community appreciates the resolution of this issue as long as the technical details do not leak out in a manner that could expose those of us non-PowerDNN customers to major risk.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/21/2008 2:47 PM
 

Joined: 1/1/0001
Posts: 0

John,

I completely agree that you need to protect your customers and take appropriate action. The problem is that you are also targeting non-PowerDNN customers with your public security scanning tool and offering them paid security services ( $20 ) - all of this prior to communicating details of the security vulnerability to the owners of the platform. We have dealt with many security issues in the past ( from community insiders and external hackers ) and we have never experienced behavior like that being exhibited by PowerDNN at this time. There are established professional procedures for dealing with issues of this nature which are intended to protect all of the stakeholders in the ecosystem. If you truly love the DotNetNuke platform then I humbly request that PowerDNN submit the exploit details to security@dotnetnuke.com , disable your security scanning tool, and work with us to ensure the entire community is protected ( not just your customer base ).

 

offering to scan non-PowerDNN customers as well ( for $20 ) and all of this is happening without any communication with the DotNetNuke project.
 
New Post
5/21/2008 2:47 PM
 
Slavic Kozyuk

www.ihostasp.net
Joined: 5/18/2005
Posts: 140

I can understand the need to gain competitive advantage and capitalize on “know-how”. However, this should have been reported to DNN core team before the press-releases and all the publicity. If what they are saying is true, and this vulnerability is as severe as PowerDNN claims it is, there is much more at stake.

 

All I have to say, don’t poop where you eat. That’s all….

 

 

Affordable DotNetNuke Hosting Affordable DNN Hosting & Support - www.ihostasp.net
Slavic Kozyuk
IHOST, LLC
Call toll-free: 1.800.593.0238
 
 Page 4 of 13
Previous12345...13Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out