Is DotNetNuke.com Insecure? - Chat About It!

Forum General DotNetN... Chat About It! Is DotNetNuke.com Insecure?

5/21/2008 4:19 PM

	JohnGrange
70 posts

Re: Is DotNetNuke.com Insecure?

I think one mistake we made was offering the patch to the public, which we thought was helpful. We should have limited it completely to PowerDNN customers but the word still would have got out and we would have had the exact same compaints. The fact of the matter is that this is an open source piece of software. In every open source platform there are always critical bugs that the users usually have to wait until the next release for. Enterprise users require quicker updates and are willing to pay for it. When you are a PowerDNN customer you are getting premium service and support for an open source platform, and you pay for it. If there is a demand for a service, it is our job as business managers to accommodate that demand. I agree that we should have waited on offering this to non-PowerDNN customers, but the fact of the matter is that there was A LOT of people willing to pay the small price to secure their site. We are one of the few companies out there who employs an intensive DNN training program for all employee's and specialized only in DNN. This allows us to focus our our dedicated resources on securing, optimizing, and extending the product we support. This is what enterprise customers want, and they will pay for it. We should not be criticized for meeting these demands to grow our DNN based business. DotNetNuke is our entire business and we love it, and we will always push the envelope and offer the largest selection of business critical DNN services.

PowerDNN DNN hosting

5/21/2008 4:51 PM

	Sebastian Leupold
15213 posts
www.deutschnetnuke.de

Re: Is DotNetNuke.com Insecure?

John,

no, your main issue was first to think about your business and second about making money. This totally lacks responsibility towards the OS product and the community you built your business on.

As Brandon Haynes stated before:
> Free business advice to PowerDNN:
>Cost of community-wide PR disaster > $20 * COUNT(Panicked Webmasters)

Hope you will get it, I am really disappointed about this experience.

Sebastian Leupold

DotNetNuke Project UserDefinedTable
DotNetNuke Project Release Tracker

5/21/2008 5:17 PM

	Alex Shirley
2189 posts

Re: Is DotNetNuke.com Insecure?

Modified By Alex Shirley on 5/21/2008 7:19:05 PM)

Plus John you have a tool that "will scan your DotNetNuke website for numerous security vulnerabilities".

Forgive me if I'm wrong (please correct me!)... but well from what I have read, all it does is find out what DNN version you have and check that against a database of known issues. I guess technically you can call this is scan, but it's hardly comprehensive, how would it detect a website that had these issues already fixeded/patched by means other than a full build? Why don't you just say it produces a report of known issues just by detecting which version of DNN you have?

In fact it would be a pretty cool tool if done in such a way that avoids such a public display and quick bucks. Maybe you could have distrubuted an internal module that gets installed on the site to be scanned, that allows the scan to take place reasonably securely (i.e. only the module is allowed to call the service up via host account, which compares a public and private key being distributed between sites). You could then get money for this service provided you told people exactly what you were doing here as you may be saving people time they don't have.

I still hope you can come clean with everything so it can all be put behind. I think everybody recognises that they all make mistakes..... It's also great damage limitation.

Well might as well promo one of my DNN sites as I'm here: http://www.snasty.co.uk

5/21/2008 5:17 PM

	Will Morgenweck
224 posts
www.activemodules.com

Re: Is DotNetNuke.com Insecure?

JohnGrange wrote

I think one mistake we made was offering the patch to the public,

I was thinking it was not making sure that DotNetNuke was 100% aware before posting a press release on your home page offering a "Let me find a DotNetNuke site to hack tool".

The fact of the matter is that this is an open source piece of software. In every open source platform there are always critical bugs that the users usually have to wait until the next release for. Enterprise users require quicker updates and are willing to pay for it. When you are a PowerDNN customer you are getting premium service and support for an open source platform, and you pay for it. If there is a demand for a service, it is our job as business managers to accommodate that demand.

Since PowerDNN found the exploit and knew the full details, I would think that you could have put request filters in place to block the exploit instead of PowerDNN exclusive patch.

I agree that we should have waited on offering this to non-PowerDNN customers, but the fact of the matter is that there was A LOT of people willing to pay the small price to secure their site. We are one of the few companies out there who employs an intensive DNN training program for all employee's and specialized only in DNN. This allows us to focus our our dedicated resources on securing, optimizing, and extending the product we support. This is what enterprise customers want, and they will pay for it. We should not be criticized for meeting these demands to grow our DNN based business. DotNetNuke is our entire business and we love it, and we will always push the envelope and offer the largest selection of business critical DNN services.

Personally, I think you are being criticized for turning a negative situation for the community a into a rewarding experience for PowerDNN.

Getting back to your security scan tool, you really should reconsider the public availability. Since you are asking for a fee, it could be considered false representation under some circumstances. A better idea would have been to make this a free module, sponsored by PowerDNN, that did a true scan. See the screens below to see how your scan tool can provide false results.

Will Morgenweck
Active Modules, Inc.
Social Networking and Community Solutions for DotNetNuke
Active Social - Stop by our booth at Open Force for a demo
www.activemodules.com

5/21/2008 6:20 PM

	Slavic Kozyuk
126 posts
www.ihostasp.net

Re: Is DotNetNuke.com Insecure?

Modified By Slavic Kozyuk on 5/21/2008 8:22:37 PM)

The so called "scanner" probes DNN upgrade log files in /Portals/_default/ folder and attempts to guess the version of DNN target domain is using. Once the version number is guessed, they simply list all known vulnerabilities for that particular DNN version range. This "tool" has no capability of detecting particular threats and does not have ability to correctly determine the actual DNN version it is scanning with 100% accuracy.

As a hosting provider ourselves, we view this as nothing more than a scaremongering attempt aimed to cause wide spread panic among DNN webmasters especially those that are not using PowerDNN. The value of this tool is marginal to none, however the PR stunt is superb.

Below is the IIS6 log of actual activity this “scanning” tool causes on the server:

2008-05-21 22:56:31 GET /KeepAlive.aspx - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 594 85 156
2008-05-21 22:56:31 GET /Portals/_default/00.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.00.08.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 38108 76 171
2008-05-21 22:56:31 GET /Portals/_default/03.00.12.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 2010 76 78
2008-05-21 22:56:31 GET /Portals/_default/03.01.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 357 76 31
2008-05-21 22:56:31 GET /Portals/_default/03.02.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1302 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.02.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 340 76 31
2008-05-21 22:56:31 GET /Portals/_default/03.03.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1835 76 46
2008-05-21 22:56:31 GET /Portals/_default/03.03.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:31 GET /Portals/_default/04.03.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 429 76 31
2008-05-21 22:56:31 GET /Portals/_default/04.05.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 1184 76 46
2008-05-21 22:56:31 GET /Portals/_default/04.05.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 200 0 0 73611 76 140
2008-05-21 22:56:31 GET /Portals/_default/04.06.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:31 GET /Portals/_default/04.07.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/04.08.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/04.08.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/04.08.02.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/04.08.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.01.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.02.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.03.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/05.00.04.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.00.05.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31
2008-05-21 22:56:32 GET /Portals/_default/05.01.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 46
2008-05-21 22:56:32 GET /Portals/_default/10.00.00.txt - 80 - 216.58.236.42 HTTP/1.1 - - - www.somedomain.com 404 0 2 1795 76 31

If you are a DNN hosting service provider and are concerned about your clients sites being "scanned" by this tool for malicious purposes, block following IP ranges at the firewall:

216.58.224.0 - 216.58.255.255
216.58.236.1 - 216.58.236.63

This IP range belongs to COSENTRY.NET a datacenter service provider PowerDNN is using to collocate their servers.

Affordable DNN Hosting & Support - www.ihostasp.net
Slavic Kozyuk
IHOST, LLC
Call toll-free: 1.800.593.0238

Page 2 of 12

...12

Forum

General DotNetN...

Chat About It!

Is DotNetNuke.com Insecure?