Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
News › Security Policy › Security Bulletin no.15 Register  |  

Maximum ASP
Denial of Service attack

Published: May 27, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

When performing an installation or upgrade DotNetNuke forces the application to unload and reload so that changes can be processed.

Issue Summary

It is possible to remotely force DotNetNuke to run through it's install/upgrade step. As this causes the application to unload, a large number of similar requests could cause a denial of service attack(http://en.wikipedia.org/wiki/Denial-of-service_attack) which could lead to the application running slow or not responding to requests at all. An additional side effect of this attack could cause the web.config file to update it's InstallDate value to a value different from the correct one.

Mitigating factors

Although the config file will receive a new Last Modified Date as a result of this exploit, the content of the config file can not be viewed, downloaded, or arbitrarily modified.

Affected DotNetNuke versions

3.0 - 4.8.2 inclusive.


Non-Affected Versions:

All other versions


Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing).

If you are unable to upgrade to the latest version, you can rename or delete the following file from your installation: /Install/Install.aspx .

Acknowledgments

 Tony Valenti and Joseph Ravioli

Security Policy


Click here to read more details on the DotNetNuke Security Policy
 


Viva Portals, L.L.C.
Expert module development and graphic design.
www.continure.com 		DNN Photo Gallery
DNN Photo Gallery is a truly unique photo management module released January 1st 2006. With DNN Photo Gallery you can REALLY integrate images into your existing portal and make them look like they were designed for your site.
DNN Photo Gallery 		Swirlhost Inc.
Affordable DotNetNuke Hosting, Skin Development, Custom Module Development, and DotNetNuke Consulting. We will install your preference of DNN and now host with us and get a free license for the Swirl AJAX Chatroom Module.
www.swirlhost.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP