Bill Yonder wrote In another post, charles said this issue has existed for 12-18 months!  I would expect that with something that has been around that long that they would already have an official patch.

Being around for any period time does not mean we were aware of it.   The point we were making is that it was not a serious enough issue to go publicising it so widely without informing the deveopers of the software of the issue.

We take ALL security issues seriously - the problem with this is issue is that it was made public without any thought to the consequences, leaving us to deal with the backlash.

How would you like it if your neighbour put a sign outside of his house - saying - "I have a security system, but look on the back of this sign and you will see a list of all the houses in the neighbourhood that don't".

I think there is a misconception in the community at the moment. What PowerDNN has referred to as a "patch" or "hotfix" for their customers is actually not a solution at all. Instead, it was a way of preventing a hacker from exploiting a security hole. In order to do this, PowerDNN simply removed some key functionality from all of their customer sites (ie. they deleted some files which provide some key content management functionality ). When they eventually reported the issue to us, it was in the form of an application which could be used to demonstrate the exploit. It was not a solution to the problem. PowerDNN offered no solution and instead relied on us to figure out the appropriate solution, implement it, test it, etc... Unfortunately, they gave us no actual time to accomplish this before they released a public press release announcing their findings. I have been quiet today as we focussed on solving the security problem. A 4.8.3 security release has been created. It solves the 2 issue which PowerDNN reported as well as another more serious security issue which was reported to us through proper channels ( and which PowerDNN as well as their customers are currently susceptible to ). Once we have the opportunity to run a few more tests, we will be making the 4.8.3 security release available to the entire community. I will not be making any more forum posts about this topic until this occurs. Thank you for your patience and professionalism.

Michael Gerholdt wrote  Bill Yonder wrote   When is that going to be?  Today?  Next week?  Next month?  Any ETA at all? Bill     Good Golly Miss Molly Bill Yonder - Give it a break. Obviously they're workin' on it. Our good friends in DNN core-ville are maybe not so good at controlling themselves when their blood's up and someone's done them wrong ... but they have an excellent track record when it comes to getting the technical job done. And the "policy and procedure" side has matured nicely. I find the comment about a 'known' issue for 18 months rather disconcerting, too, but hey ... Let them be and let's move on. We can look for answers to that one after the dust has settled.

Instead of assuming the worst, we should just take a little more time to understand exactly what was said.  Charles never said it was a "known" issue for 18 months.  He said it existed.  There is a big difference.  PowerDNN was the first to find the exploit, there is no disputing that fact.  I believe the point that Charles has been trying to make is that the code that introduced this issue was created many months ago.  This means that it has been in the application for several releases.  I believe Shaun has also stated, that even though this issue was present, DotNetNuke still passed numerous third-party security audits. 

Why is it so difficult to understand that had this been handled properly, it would still be business as usual for the DotNetNuke Community.  We all would have been properly patched and probably sooner had the Core not had to deal with all this chaos, or even better, notified promptly.