> >

Change localized text to stop user enumeration

Published: Jan 19, 2011

Version: 1.1 (edited 27 June 2011)

Maximum Severity Rating: Low

Background

DotNetNuke supports the ability for the user to get a copy of their password emailed out if they have forgotten it.

Issue Summary

The messages returned from the forgot password utility were too detailed, and could be used to identify the existance of user accounts.

Mitigating factors

This only affects sites where the forgot password utility is used. If the authentication provider does not support this, or has enablePasswordRetrieval set to false in web.config, no action is required.

Affected DotNetNuke versions

3.0-5.6.0

Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)

Acknowledgments

Andrew Hallmark

Security Policy

Click here to read more details on the DotNetnuke Security Policy

Advertisers

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates the DotNetNuke Store where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
- The Store
- Extension Forge
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP

Change localized text to stop user enumeration

Advertisers

Sponsors

DotNetNuke Corporation