Published: Aug 17, 2010

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has a number of places where it captures unexpected exceptions and provides details.

Issue Summary

In a few locations in DotNetNuke, and unexpected error is captured and if the required logging provider is not available then the exception is written to the screen. Under rare circumstances such as the sql server not being available it is possible for a currently executing request to fail and show exception details which can contain sensitive information such as the database name or the username that is attempting to connect.

Whilst this issue may reveal valuable information it is not easily exploitable, requiring 3rd party software to not perform or a full denial of sevice attack to cause the system to break, the issue has been rated as Low.

Mitigating factors

This issue can only manifest in the case of the database becoming unavailable.

Affected DotNetNuke versions

• 3.0.0-5.5.1

Non-Affected Versions:

• All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.0 at time of writing)

Acknowledgments

Security Policy

Click here to read more details on the DotNetnuke Security Policy