Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Upgrading DNN P...Upgrading DNN P...DNN 5.5.1 upgrade does not comply with MS security patch recommendationsDNN 5.5.1 upgrade does not comply with MS security patch recommendations
Previous
 
Next
New Post
9/23/2010 4:15 PM
 
CT

Joined: 10/2/2006
Posts: 92
Jan,

Thanks for obtaining public confirmation from Scott Guthrie at Microsoft.

And thanks for understanding that the image public relations problem here was that there was a need for both Microsoft and DNN to be saying the same thing publicly without any discrepancies of any kind (regardless of whether they were conferring with each other or not).
CT
 
New Post
9/24/2010 4:19 AM
 
Rune Bentsen


Joined: 11/2/2009
Posts: 60
CT wrote:
Jan,

Thanks for obtaining public confirmation from Scott Guthrie at Microsoft.

And thanks for understanding that the image public relations problem here was that there was a need for both Microsoft and DNN to be saying the same thing publicly without any discrepancies of any kind (regardless of whether they were conferring with each other or not).

 Hmm Microsoft and DNN saying different things and having .. discrepancies???


Did you read ALL of the blog you referred to? If you really do know the difference between customErrors = On / RemoteOnly / Off, then you should be aware that Scottgo writes the exact same thing in his blog as Cathal (and basically everyone else here) told you before: THAT SETTING is not enough. You need to add the redirect, which seems to be included in the DNN 5.5.1 upgrade.

If you think the DNN upgrade is vulnerable, then don't just fetch some guru's words and misinterpret them, try using the advice given in the blog:

***Quote from ScottGu's blog***

How to Verify if the Workaround is Enabled

Once you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexis...

If you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly.  If you see a standard ASP.NET error then it is likely that you missed one of the steps above.  To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.

***Quote End***

If you can see that the DNN 5.5.1 does not show the correct error message, then i see the issue... but discrepancies??? Funny word :-)
 
New Post
9/24/2010 5:16 PM
 
TriZerticus

Joined: 4/9/2008
Posts: 4
   I am not one that usually responds or posts here neither do I work for Microsoft or DNN, but I feel the need for those that are frequent readers of these forums and users of Dotnetnuke to express mine opinion.
 
CT wrote:
There are several completely different issues/questions here:

1) The technical question: which is the precisely correct recommended version of attributes for the web.config element ?

2) Are the recommendations of the "manufacturer" Microsoft and the "reseller" DotNetNuke consistent with each other as stated publicly by official representatives of each?

3) Whose recommendation should be followed: the "manufacturer" Microsoft or the "reseller" DotNetNuke?

The APPEARANCE of public recommendations that are consistent with each other between manufacturer and reseller remain critical to assuring confidence in the reseller. When the reseller does not appear to comply with the public recommendations of the manufacturer, it raises concerns.

    One of the things that I feel need to clarify is that Dotnetnuke is not a reseller (akin to saying that DNN is one of MS's pawns).

1. Dotnetnuke is a Company that develops software impementing the ASP.NET Framework which was developed by one "Company" named Microsoft.

2. The ASP.NET Framework is a developer platform upon which software developers may design whatever software that they so choose. Much like perl, php, java, etc.

3. The "manufacturer" is in fact Dotnetnuke, and their product is the Dotnetnuke Framework provided in currently three formats. 1. Community 2. Professional 3. Enterprise.

   I believe from what I have seen and experienced from the DNN Team is a dedication to their product and a dedication to those that use their product; especially in their ability to quickly impliment security vulnerabilities when they have been made aware of them.

P.S.
   You know microsoft is not the only company in the world that has security issues with its software. The problem is that because they are so well known they get all the publicity. Think of it this way if Linux was on top they would be the ones on the front page. Hey think of it this way those that find the breaches are doing Microsoft a favor: they are helping them make a better and safer product for you.

Thanks
 
 Page 4 of 4
Previous1234 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Upgrading DNN P...Upgrading DNN P...DNN 5.5.1 upgrade does not comply with MS security patch recommendationsDNN 5.5.1 upgrade does not comply with MS security patch recommendations


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out