Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?
Previous
 
Next
New Post
5/21/2008 3:20 PM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356

Mitchel,

  Michael specifically has not been contacted and is just as upset as the rest of us over the way this has been handled.

Joe Brinkman
DNN Corp.
 
New Post
5/21/2008 3:26 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

Joe Brinkman wrote

Mitchel,

  Michael specifically has not been contacted and is just as upset as the rest of us over the way this has been handled.

I had a feeling that was the case......

...this is sure turning into an interesting saga....

Special thanks to Shaun, Joe, and the rest of the core team that is digging into this item, I'm sure that this is not something you guys were looking to deal with on a Wednesday...

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
5/21/2008 3:30 PM
 

Joined: 1/1/0001
Posts: 0

Just to clarify, we did not submit a report to security@dotnetnuke.com as of yet, but we were in contact with members of the core team this morning.  As I write this we are putting together a report for security@dotnetnuke.com.  Also, no PowerDNN customer was charged anything for this patch, as it is our responsibility to ensure the security of their installations.  Again, from a resource perspective we have to charge non-customers for time spent on a patch.  We were forced to send out a blast e-mail to all of our customers about the vulnerability because many of them have development installations that would overwrite the patch if they weren't

 
New Post
5/21/2008 3:31 PM
 
Michael Washington


Michael Washington's Avatar

www.LightSwitchHelpWebsite.com
Joined: 7/17/2004
Posts: 3526

Mitch Sellers wrote

Joe,

I'm not sure if it helps or not, but I've heard through a few grapevines today that Michael Washington might have been contacted....

I had assumed that PowerDNN gave the information to security@dotnetnuke.com and the Core hadn't responded yet. When there is an exploit normal Core members get the details when the rest of the community gets the details because only the people working on the problem "need to know".

I was contacted by a PowerDNN representative when I asked for the patch fix for free. I was told to give FTP access to my site. I then found out the the Core was not told about the patch.

Then my "Head exploded". I then sent a email to PowerDNN telling them that I thought it was wrong to sell the patch.

So my mistake was asking for the patch for free. I should not have done that. I should have sent PowerDNN an email telling them that it is wrong to sell a security patch for Open Source software under any circumstances. The source is "open" so that we can all "protect each other".

PowerDNN cannot call it a "service" to "patch it for us" because they don't want to "tell us what the exploit is".

How about this, when the next bug comes out, how about I charge for it?


Michael Washington
http://ADefWebserver.com
www.ADefHelpDesk.com
A Free Open Source DotNetNuke Help Desk Module
 
New Post
5/21/2008 3:35 PM
 
Bill Walker

Joined: 2/28/2006
Posts: 137

Aside from the security@dotnetnuke.com address, which every long-standing developer in the community knows about, there are several points of contact listed on the DotNetNuke.com "Contacts" page.  These are for webmaster@, advertising@, and sales@.  I am a recipient on each of these lists, and have NOT received any communication from PowerDNN on this matter (whereas in the past, I have been reached several times via these channels by parties reporting potential security issues.) Now, keep in mind that the email circulated by PowerDNN stated they first learned about the problem on Monday evening, broadcast it on Tuesday PM, and didn't email any of our contact points.  Curious...
 
 Page 6 of 13
Previous123...567...13Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityCommunity Membe...Community Membe...Any PowerDNN users? Any PowerDNN users?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out