Published: Apr 19, 2010

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke added support for user messaging in 5.3.0. This system is also leveraged for automatically generated messages known as system messages.

Issue Summary

Whilst system messages are often innocuous and simply warn a user if their profile has been updated (e.g. by an administrator) or if they've been added to a security role, there are a number of system messages which can contain sensitive data, in particular password reminders contain data that users would not want stored in clear text

Mitigating factors

N/A

Affected DotNetNuke versions

5.3.0 - 5.3.1

Non-Affected Versions:

All others

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.0 at time of writing). Please note, if you've been running 5.3.0 or 5.3.1 you may already have messages that you would want to clear. Upgrading to 5.4.0 does not automatically remove these, as there may be many legitmate messages from portal administrators. If you believe that there are no messages you wish to retain then you can remove all messages sent by a portal administrator using a query similar to:

DELETE FROM [dbo].[Messaging_Messages] where [FromUserID] in (select administratorid from portals)

If you wish to review the set of messages first, a query similar to this will allow you to view the messages and determine which to delete

SELECT

* FROM [dbo].[Messaging_Messages] where [FromUserID] in (select administratorid from portals)

Acknowledgments

Stefan Cullman

Security Policy

Click here to read more details on the DotNetNuke Security Policy