# Tuesday, January 23, 2007
Are you a DotNetNuke Sitting Duck?

It was brought to my attention today by benefactor of the DotNetNuke community (since I no longer have access to any of this information directly) that a client's site had been compromised, with an older but known security breach. Bit of a nasty one - worded this way - 'Vulnerability in DotNetNuke could allow access to user profile details', but really what it should be telling us is that it allowed users to assume 'administrator rights', and that's exactly what happened to someone with build of DotNetNuke that wasn't upgraded.

A quick search on google showed some alarming statistics that over 20,000 sites are still running DNN 4.3.4 and oaver 12,500 running 4.3.3 and a staggering 32,000 Plus+ sites running 3.3.4, 21,500+ sites running 3.3.5, and honestly an unbelievable 95,000+ sites running 4.3.5, and that's only what's publicly available via searching, so we have an enormous amount of sites that appear to be vulnerable.

Here's how a site looks in your search results... it displays the DNN version in the title bar - and Hey - who's site is that? I think we have a DotNetNuke Trustee running an unpatched site.. I hope that gets fixed up soon!



And it doesn't have to be exposed in that way... making it easier for hackers to find out what version of DNN people are running. Most of my installations are configured to disguise the fact they are dnn sites, and even commercial projects I do, I encourage and practice this, in fact, I've modified my own DotNetNuke install file to have it default in many areas to make it not an 'expected' installation at any time.

I can't really give an answer to why the version of DNN is broadcasted in the fashion it is. It serves no value to the 'end user' except to inform them of the version they have installed, but do we need to so publicly broadcasted. Sure it's a small thing, but an example of searching has shown how exposed these sites are when there is a security breach. Whether we like it or not, we are FORCED to display the version of DNN by default, unless we manually turn it off. Fortunately it's an easy fix and one of those things I recommend you do the moment you build your website!!

Here is show you how you can turn it off - Log in as HOST - and go to the HOST / SETTINGS page.  Just under the email address is the - Appearance - maximised icon, click to show the 'Appearance' options an check that little mother of a box!!   And click UPDATE.  .... GONE..

Note - this does NOT PROTECT YOU but simply stops the 'PUBLIC' from knowing what version of DotNetNuke you are running.

Uncheck The Box

And for those who need help in knowing what version of DotNetNuke you are running, again, Logged in as HOST and again, go to the HOST / SETTINGS  page and the first thing you will see.. is.. the DotNetNuke Version - pretty easy don't you think!

What DNN Versions are you running?

So, If you are one of those TENS OF THOUSANDS of SITTING DUCKS.. do something pro-active.

  • TURN OFF THE PUBLIC VISIBILITY OF YOUR DOTNETNUKE VERSION
  • EXPLORE THE UPGRADE OPTIONS
  • TAKE IT SERIOUSLY -AND DO SOMETHING ABOUT IT.

If you are running a DotNetNuke site that is BELOW 4.3.7 you are vulnerable.. simple as that.. Get your website updated.

What disappoints me is that the DotNetNuke community has to wait for weeks and weeks before an 'official' release unless it's lucky enough to fall in the cycle of release dates.  Now there are literally tens of thousands of downloads of 'known to be vulnerable' builds between discovering a security breach and a fix being available for it.

Not all of us want the very frustrating task of upgrading and Security should not be 'bundled' with a release if it means that the community members who are subject to these attacks have to rebuild their sites due to malicious actions ...  Security Patches should be released as soon as they are found and rectified to protect DotNetNuke users and their sites.

That's my take on this matter at this moment of the day.

Nina Meiers

DotNetNuke
posted on Tuesday, January 23, 2007 5:52:47 PM (AUS Eastern Daylight Time, UTC+11:00)  #    Comments [3]
Related posts:
New Free DotNetNuke Skin - XDNewDesignAway
Is DNN right for graphic designers?
Handling multilingual content in a CMS
DNN 5 Beta Part 3
DNN 5 Beta Part 2
DNN 5 Beta Part 1
XD Design
XD Design Pty Ltd Over 50 Free DotNetNuke Skins
MVP Award
Navigation
Home
XD Design
FREE DNN Skins
Catalook eCommerce
Learn DNN Skinning
Download DotNetNuke
Connection Strings
DotNetSlackers
Nina's Free Skins

 RSS 2.0 | Send mail to the author(s)

Categories
 
 
 
 
 
 
 
Blogroll

Archive
<January 2007>
SunMonTueWedThuFriSat
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910


January, 2009 (0)
October, 2008 (2)
September, 2008 (1)
August, 2008 (0)
June, 2008 (8)
April, 2008 (2)
November, 2007 (5)
October, 2007 (1)
July, 2007 (2)
June, 2007 (3)
May, 2007 (7)
April, 2007 (11)
February, 2007 (5)
January, 2007 (9)
December, 2006 (4)
November, 2006 (2)
October, 2006 (2)
September, 2006 (2)
May, 2006 (1)
July, 2005 (1)
March, 2005 (24)
February, 2005 (27)
January, 2005 (12)
December, 2004 (10)
November, 2004 (8)

Month View

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2009 Nina Meiers
Sign In