Published: Aug 17, 2010
Maximum Severity Rating: Low
DotNetNuke has a number of places where it captures unexpected exceptions and provides details.
In a few locations in DotNetNuke, and unexpected error is captured and if the required logging provider is not available then the exception is written to the screen. Under rare circumstances such as the sql server not being available it is possible for a currently executing request to fail and show exception details which can contain sensitive information such as the database name or the username that is attempting to connect.
Whilst this issue may reveal valuable information it is not easily exploitable, requiring 3rd party software to not perform or a full denial of sevice attack to cause the system to break, the issue has been rated as Low.
This issue can only manifest in the case of the database becoming unavailable.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.0 at time of writing)
Click here to read more details on the DotNetnuke Security Policy