securitybulletinno30

DOWNLOAD

FORUMS

BLOGS

FORGE

HELP

MARKETPLACE

You are here > > >

Overview

Press Releases

In the News

DotNetNuke Connections '10

Install Wizard information leakage

Published: Nov 26, 2009

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has an install wizard to support installing and configuring instances.

Issue Summary

The install wizard has code which evaluates the database and assembly versions to determine if an upgrade is required. It is possible to view this information as an anonymous user.This information could be useful to hackers attempting to profile an application.

As the information is important it will still show if the versions differ, but if they are in sync which is the normal case, the version is not revealed.

Mitigating factors

N/a

Affected DotNetNuke versions

4.0 - 5.1.4

Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.2.0 at time of writing)

Acknowledgments

Dan Gilleland, Dynamic Generation Inc.

Security Policy

Click here to read more details on the DotNetnuke Security Policy

Advanced Web Portals by Infoscaler
Infoscaler is a California based company that provides advanced Web Portals, E-commerce Sites, Database Applications and Intranet Solutions on the DotNetNuke and Microsoft.NET platforms.
www.infoscaler.com

dnnWerk - die DotNetNuke-Experten
dnnWerk - the leading compound of German based DotNetNuke experts provides all services for your web site from one source. +++ dnnWerk - der Verbund führender DotNetNuke-Experten bietet Ihnen alle Leistungen für Ihr Portal aus einer Hand.
www.dnnWerk.de

.NET Answers
You have questions about .NET? Our blog has answers. Don't see the answer? Ask a question!
blog.dmbcllc.com

DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation