Published: May 27, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

When performing an installation or upgrade DotNetNuke forces the application to unload and reload so that changes can be processed.

Issue Summary

It is possible to remotely force DotNetNuke to run through it's install/upgrade step. As this causes the application to unload, a large number of similar requests could cause a denial of service attack(http://en.wikipedia.org/wiki/Denial-of-service_attack) which could lead to the application running slow or not responding to requests at all. An additional side effect of this attack could cause the web.config file to update it's InstallDate value to a value different from the correct one.

Mitigating factors

Although the config file will receive a new Last Modified Date as a result of this exploit, the content of the config file can not be viewed, downloaded, or arbitrarily modified.

Affected DotNetNuke versions

3.0 - 4.8.2 inclusive.

Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing).

If you are unable to upgrade to the latest version, you can rename or delete the following file from your installation: /Install/Install.aspx .

Acknowledgments

 Tony Valenti and Joseph Ravioli

Security Policy

Click here to read more details on the DotNetNuke Security Policy