Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
News › Security Policy › Security Bulletin no.16 Register  |  

Maximum ASP
Force existing database scripts to re-run

Published: May 27, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

During installation or upgrade DotNetNuke runs through database scripts in sequence to create the database schema and insert various pieces of data.

Issue Summary

It is possible to remotely force DotNetNuke to run through it's install wizard. This could cause the SQL commands in the database scripts included with the application to re-execute. Since the database scripts are not designed to be re-executed; this could cause data loss or corruption in an installation.

Mitigating factors

This exploit relies on SQL scripts being located in a specific default installation location for the DotNetNuke application. Since there is no way for an attacker to upload their own SQL scripts to this folder, the risk of arbitrary SQL script execution is not a factor.

Affected DotNetNuke versions

3.0 - 4.8.2 inclusive.


Non-Affected Versions:

All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing).

If you unable to upgrade to the latest version, you can rename or delete the following file from your installation: /Install/InstallWizard.aspx .

Acknowledgments

Tony Valenti and Joseph Ravioli

Security Policy


Click here to read more details on the DotNetNuke Security Policy
 


Customer Connect
Customer Connect provides cutting edge solutions that deliver sales, marketing and customer service results.
www.customer-connect.com 		TechNexxus
Business process and technology sourcing solutions delivering superior people, process and value. We have used, and continue to use, DNN successfully in numerous client projects to deliver exceptional value. We are proud to support the DNN team and community.
www.technexxus.com 		PartnerPoint - Microsoft Technology Community
PartnerPoint is one of the largest online communities of Microsoft Partners Worldwide. With over 5,000 active members, it serves as a collaboration platform for other technology communties around the globe
www.partnerpoint.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP