Security bulletin no.25

DOWNLOAD

FORUMS

BLOGS

FORGE

HELP

MARKETPLACE

You are here > > >

Overview

Press Releases

In the News

DotNetNuke Connections '10

HTML/Script Code Injection Vulnerability

Published: April 1, 2009

Version: 1.0

Maximum Severity Rating: Low

Background

To support paypal IPN functionality, DotNetNuke posts information to and receives status information from the paypal webservice. To do this it uses a name/value pair as part of the request, which is echoed to the form action attribute to ensure that any actions post to the correct page.

Issue Summary

It was possible to amend the name/value pairs and inject html/script which could allow hackers to perform cross-site scripting attacks.

Mitigating factors

If your site is not using paypal functionality, you can delete or rename (to a non aspx extension) the file at Website\admin\Sales\paypalipn.aspx

Affected DotNetNuke versions

All

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.3 at time of writing)

Acknowledgments

N/A

Security Policy

Click here to read more details on the DotNetNuke Security Policy

Allison Willhite - Seattle, WA
Exemplary service for your Seattle Real Estate needs. It's what you deserve from your Realtor®!
www.alkihomes.com

ExactTarget Email Marketing Software and Solutions
ExactTarget delivers on-demand email software solutions for permission-based email marketing. ExactTarget offers solutions that meet the needs of all industry verticals and all size organizations, including SMB, corporate divisions, not-for-profits, large retail/direct marketers, agencies and enterprises.
ExactTarget.com

MaximumASP
MaximumASP provides a wide array of web hosting plans to fit any hosting need. We also provide software and services needed to keep it running optimally.
MaximumASP.com

DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation