Version: 1.0
Maximum Severity Rating: Low
Background
DotNetNuke creates a series of log files for database operations during install and upgrade.
Issue Summary
If during install/upgrade an error occurs, the exception details are written to the logfiles. There is a small possibility that information in these files could prove useful to a potential hacker.
In addition, the existance of log files can be helpful to hackers when attempting to profile an application to determine it's version.
Mitigating factors
N/A
Affected DotNetNuke versions
All
Non-Affected Versions:
N/A
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.3 at time of writing).
Alternatively users can block access to log files by adding the following to their web.config's HttpHandler section.
<add verb="*" path="*.log" type="System.Web.HttpForbiddenHandler"/>
Acknowledgments
PowerDNN Engineering Team
Security Policy
Click here to read more details on the DotNetNuke Security Policy