Search Home All Forums

Home

Our Community

Community Membe...

Any PowerDNN users?

5/21/2008 2:41 PM

Michael Washington

www.ADefHelpDesk.com
Joined: 7/17/2004

Posts: 3523

Re: Any PowerDNN users?

JohnGrange wrote

I think people are also misunderstanding the situation in a number of ways.

John stop. Please. I am guilty of trying to get the patch for free (because I provided free advertising for PowerDNN on my site). I was assuming security@dotnetnuke.com was working on the issue but did not release a patch yet. I saw an opportunity to "get my sites fixed now" and I took it. I was wrong (the only reason I did not get my sites patched was because PowerDNN wanted FTP access to my site).

Just admit PowerDNN made a mistake and refund any money you took. If you do that I think the "community" can find forgiveness.

Michael Washington
http://ADefWebserver.com

A Free Open Source DotNetNuke Help Desk Module

5/21/2008 2:45 PM

Pat Cummings

Joined: 7/23/2003

Posts: 64

Re: Any PowerDNN users?

PowerDNN:

I guess I do not understand why a vulnerability would be posted to a public site before a fix is applied.

Generally a good process to use is to fix the issue first then post the details. I understand you need to help your customers, however posting and making the vulnerability public creates another problem.

I could care less about someone charging for a fix. It’s the process of notifying the public that a vulnerability exists and that some systems are affected. On top of that a person can check whether another remote system is affected and proceed to target.

I think that’s the crux of the contention you are hearing from the community.

I think you should remove any posting and or tools from your public site until a fix is sent to the general public. What is your answer to this?

5/21/2008 2:45 PM

Scott Willhite

www.dotnetnuke.com
Joined: 4/11/2003

Posts: 3017

Re: Any PowerDNN users?

Pursuant to our forum policy, I am locking this "announcement" thread. Please feel free to continue this convesation in one of our more conversation oriented forums so that our announcements may remain timely.

Kind Regards,
Scott

Scott Willhite, Co-Founder & Director of Community Programs for DotNetNuke

"It is only with the heart that one can see rightly... what is essential is invisible to the eye. "
~ Antoine de Saint-Exupéry

5/21/2008 2:49 PM

Sebastian Leupold

www.dnnwerk.de
Joined: 3/8/2004

Posts: 34263

Re: Any PowerDNN users?

Alex Shirley wrote

Not only are there apparent vulnerabilities with sketchy details, but we now have a site that allows Tom, Dick, Harry, everybody else, and their dog to look at the security issues of everyone’s DNN website in mere seconds. IF indeed the website actually scans and checks for vulnerabilities rather than just anticipate them?... and all of us dance around like headless chickens :). In this case I think we are entitled to, that is because we don't exactly know the impact, because rightly or wrongly we assume the worst, and because the cat was out of the bag before the solution was made available. Plus there is a tool that apparently allows me to know that YOUR website is effected.

Alex,

as far as I understood, the "Scan" simply retrieves the installed DNN's version number and issues a list of potential security risks, I did run it against a customers site, which is not affected by previous issues due to its configuration (like being a single portal installation with host = admin, i.e. no risk of the admin gaining host permission) and the service listed the two assumingly identified new issues as all published security bulletins issued by DNN since that version (even if affecting later versions solely). To me, this scan does not really sound like a valuable service and, since noone had the chance to validate the changed code applied to the site, you cannot be sure that a) it fixes the issue and b) does not harm or damage your portal software. I would be very careful with accecpting any service like this.

Cheers from Germany,
Sebastian Leupold

European Network of DotNetNuke Professionals

Page 13 of 13

...12

Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.

Advertisers

DotNetNuke Scoop!

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates the DotNetNuke Store where users purchase third party apps for the platform.

Community
- Get Involved
- Extension Forge
- Forum
- Blog
- Teams
- Recognition
Resources & Support
Partners
News Room
App Gallery
- The Store
- Extension Forge
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP

Forum Policy

Advertisers

DotNetNuke Scoop!

Sponsors

DotNetNuke Corporation