Published: April 1, 2009
Version: 1.0
Maximum Severity Rating: Low
Background
To support paypal IPN functionality, DotNetNuke posts information to and receives status information from the paypal webservice. To do this it uses a name/value pair as part of the request, which is echoed to the form action attribute to ensure that any actions post to the correct page.
Issue Summary
It was possible to amend the name/value pairs and inject html/script which could allow hackers to perform cross-site scripting attacks.
Mitigating factors
If your site is not using paypal functionality, you can delete or rename (to a non aspx extension) the file at Website\admin\Sales\paypalipn.aspx
Affected DotNetNuke versions
All
Non-Affected Versions:
N/A
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.3 at time of writing)
Acknowledgments
N/A
Security Policy
Click here to read more details on the DotNetNuke Security Policy