Published: Jan 19, 2011

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke's installer checks that the executing asp.net account has sufficent permissions to do an install/upgrade.

Issue Summary

If a site does not have sufficent permissions to do an install/upgrade, then a  HTTP 403 status is thrown and a custom permisions page is generated. This page used to identify the operating system version to help users diagnose what permissions were missing. However, this information is also potentially helpful to hackers, so the OS identification functionality was removed.

Mitigating factors

N/A
Note: Whilst not a mitigation, the identification of the operating system of a website is a trivial action with a number of websites/tools offering tools which probe and identify operating system's accurately. As such this function has little added value, but it's removal complies with best practices.

Affected DotNetNuke versions

• 5.0.0-5.6.0

Non-Affected Versions:

• All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)

Acknowledgments

Security Policy

Click here to read more details on the DotNetnuke Security Policy