Posted by: cathal connolly
Thursday, March 20, 2008 11:44:00 PM 

The 4.8.2 version of DotNetNuke has been released.

In many cases the best way to ensure you're running a secure version of DotNetNuke is to update to a version such as 4.8.2 that has no known vulnerabilities. Oddly enough, in this case the upgrade is not mandatory. The release mainly focuses on 3 security issues, 2 of which came from external sources, and one from a project team member (thanks Timo!). The first and third issues could allow a user with upload permissions a way to upload files/pages that contain code, and then use this code to escalate their permissions or gain access to code/resources. In both cases these need a minimum of Admin permissions.

The second issue is to deal with a rare case where the validationkey in your web.config does not get updated from the default value. If on your site you don't have Admin users or the known key (validationkey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902") in your web.config, then you can choose to wait to apply this upgrade. Please note, 4.8.2 also has code to fix an ajax issue, so if you use components that utilise MS Ajax, it's definately worth thinking about an upgrade.

If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent set of blog entries from Erik here and here.

You can read more details about these issues and our security policy here

Trackback Print

Tags:

Categories:

Location: Blogs Cathal Connolly Core :: Security