> >

Install wizard information leakage

Published: September 10, 2008

Edited : Febuary 24, 2009 - Added note about 5.0 missing relevant code.

Version: 1.1

Maximum Severity Rating: Low

Background

When a DotNetNuke portal is installed the version number if displayed on the link to first access the portal.

Issue Summary

Under some circumstances it was possible to view the install wizard page, allowing potential hackers to view the portal number. This information could be useful to hackers attempting to profile an application.

Mitigating factors

N/a

Affected DotNetNuke versions

4.0 - 4.8.4
5.0 - Note: the code was put in place for 4.9, but was not correctly merged into the 5.0 (cambrian) branch. This issue was resolved in 5.0.1

Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.2/5.0.1 at time of writing)

Acknowledgments

N/A

Security Policy

Click here to read more details on the DotNetnuke Security Policy

Advertisers

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates Snowcovered.com where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP

Install wizard information leakage

Advertisers

Sponsors

DotNetNuke Corporation