Version: 1.1 (updated Sep 16 2010 to provide alternative mitigation)

Maximum Severity Rating: Medium

Background

DotNetNuke supports syndication of portal content via a custom handler.

Issue Summary

It's possible to make invalid requests for the syndication handler that will consume resources searching for the relevant data before timing out. If enough of these requests are sent then resources can be consumed, leading to eventual exhaustion i.e. a "denial of service" attack

Mitigating factors

The number of invalid requests depends on a number of factors including the size of the DotNetNuke site and the capacity of it's webserver(s) and database server(s).

Affected DotNetNuke versions

All

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.5.0 at time of writing).

Alternative mitigation

Whilst the correct method to resolve this issue is to upgrade to 5.5.0 or higher, for sites which do not use the syndication feature (e.g. module syndication), an alternative option is available. As the issue is caused by invalid requests to the syndication handler, removal of that will stop these requests being routed and nullify this issue. To remove the handler, edit the sites web.config file and locate and remove the following line

<add verb="*" path="RSS.aspx" type="DotNetNuke.Services.Syndication.RssHandler, DotNetNuke" />

Acknowledgments

N/A

Security Policy

Click here to read more details on the DotNetNuke Security Policy