Description:
A security vulnerability has been found in all DotNetNuke versions including 4.8.3 that can be exploited to allow malicious individuals to casue Denial of Service attacks (DoS) manipulate URLs and bypass DotNetNuke security restricitions.
The Issue(s)
- The URL and FileManager API security can be compromised allowing unwanted files to be uploaded to restricted folders
- DotNetNuke's install / upgrade process can be exploited allowing a malicious person(s) to send a large number of crafted requests to the DotNetNuke application causing the database to be corrupted or overwritten
- Certain input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Solution:
Remove all of the *.txt files from the /Portals/_default folder. This will protect your site from being susceptible to automated security scanners or other probing tools typically used by malicious parties.
Update to version 4.8.4. as soon as it is available.
Original Advisory:
http://www.dotnetnuke.com/News/Securi...yBulletinno14/tabid/1159/Default.aspx
http://www.dotnetnuke.com/News/Securi...yBulletinno15/tabid/1160/Default.aspx
Action Request
If you suspect or know that your DotNetNuke Site has been compromised please contact our hostmaster for a free DotnetNuke website security analysis and assistance in preventing further unwanted events.