I think it's more an exploitation of some of the unsafe modules that are popping up to support DNN. I remember something about this with NewBlog last year, and, IIRC, Hans-Peter promised to fix it.

This is not a knock on HP, per se, but it should be pointed out that NewBlog is still not "fixed". Lack of input sanitation in many of the modules will make wider adoption of DNN difficult, especially in light of this Microsoft defacement and the accompanying Zone-H report that specifically mentioned dotnetnuke.

Once the news spread, DNN will see more probes from the curious and the malicious. Unless we do something NOW, the end result will not be pleasant. As the "MS France Hacker" has shown, you don't need a lot of brain power to cause havocs, and you certainly need to programming skills to see that some DNN modules are sitting ducks.

BTW, I have no programming skills to brag about, but I have screen shots of unsanitized input XSS in a specific DNN module.

In the meantime, I think it'd be wise and prudent to encourage DNN users to do something to protect their DNN installations. I understand that this may not be elegant, but the way things are right now, DNN is a sitting duck, and the modules are the vectors.

While we don't know the particulars of this MS France hack, things like disabling comments in blog module, suspending the use of the forum module, etc can help stave off exploitations while we look for more elegant solutions. Zone-H has a wide audience, and the mention of DNN in that write-up is an unwelcomed exposure that can lead to no imaginable good. It is possible that BDPDT is indeed the vector, but then it is possible that it is not. We need some preventive measures in the meantime.

We got notified of this thread from a user, hey, my first post...

In regards to Microsoft France,

We've done user scans for both any microsoft related site, and also the user that had the dnn site on the Microsoft site.  We did not sell anything to Microsoft, nor did was the user that had the DNN site on Microsoft France, registered on our site, or in snowcovered.com - as I had also alerted Brice and he also followed up against their user records just in case it was a unknown area.  Nor have we been contacted by Microsoft in relation to the issue.

Yes agreed, that hack shouldn't have been possible - that's what at times you get for having the most installed module outside of core, and code that lingers through a 3 year life span of module development when you started writing it while you were wet behind the ears.  Again thanks Cathal for quickly isolating it and working on it with us.

Nina - I usually find your comments usually humourous and ignore them, however, I find it curious that you always spout off in forums, but never contact us if you have a problem.  Frankly I find that behaviour to border on slander especially by someone with the DNN core team logo beside their name.  Even more interestingly enough, you never mention that in your little comments that you don't contact the vendor when you have a problem.

If you had contacted us Nina, we could have quickly suggested an alternative measure to quickly isolate the issue, and remove the potential for any possible repercussions on your site(s).  We responded to well over 1000 requests for more information in a period of the first week after Cathal informed us of the problem.  So the time you spent writing forum notations, could have easily fixed the problem before it occurred in mass on your site.   Possibly even more important was your quick reaction to this problem by posting your comments in the forums on the day of notification may have caused some to go "perhaps I'll be fine - it's working now, and Nina says the upgrade had problems", which may have led some people NOT to upgrade their sites.  So not only was your behaviour extremely unwise, it was not in the best interest of the community at large, and could have been responsible for more of the ripple affect we saw after the blog entry in the Washington post was posted - many of them mentioned that they did receive the email and had not upgraded nor contacted us in response to it.

Cathal was a soul of courteousy and professionalism which I would expect from anyone that is a member of core team.   And as Cathal can concur, we were the ones that requested the security blog entry to be posted with no delay on DotNetNuke.com.

The important fact that should be mentioned is the point that anyone using ANYTHING attached to the Internet should insure that their user information is current with the vendor, that their email address is actually in use and to always update their modules in a timely manner.  This is the Internet, anything can happen - ask Microsoft if even their best practices and testing methodology can be circumvented.   To say anything is 100% secure is a fallacy - they just haven't found an exploit yet and going around bragging about something being 100% hacker proof is really just putting a big red bull target on your code.  Just because it hasn't happened yet, doesn't necessarily mean it won't in the future.  Vendors have the ultimate responsiblity to insure that their code is safe, but in the aspect if something does occur, both the vendor and the client have the responsibility to insure that their sites are remediated.

Regards,

Richard Cox
DNN Modules