Geeks With Blogs


Celebrate Computer Science Education
Locations of visitors to this page
Brian Scarbeau Insights from a seasoned Computer Science Trainer

Do you care about security? You should and you should also stay updated on security issues with the platform that you have your site on. That's why you need to come to the Security Bulletins Policy section on the DotNetNuke site to stay current on any potential threats.

Here's what they go through and evaluate issues:

Severity Levels

Each confirmed issue is first assigned a severity level (Critical, Moderate, or Low) corresponding to its potential impact on the security of DotNetNuke installations.

  • Critical—A security issue is rated critical if it can be exploited by a remote attacker to gain access to DotNetNuke data or functionality. All critical issue security bulletins include a recommended workaround or fix that should be applied as soon as possible.
  • Moderate—A security issue is rated moderate if it can compromise data or functionality on a portal/website only if some other condition is met (e.g. a particular module or a user within a particular role is required). Moderate issue security bulletins typically include recommended actions to resolve the issue.
  • Low—A security issue is rated low if it is very difficult to exploit or has a limited potential impact.

The Security Task Force then issues a security bulletin via the DotNetNuke security blog, forum posts and, where judged necessary, email. The bulletin provides details about the issue, the DotNetNuke versions impacted, and suggested fixes or workarounds.

Here's the latest threat and another reason why you need to upgrade your site to the most current version of DotNetNuke.

HTML/Script Code Injection Vulnerability

Published: April 1, 2009

Version: 1.0

Maximum Severity Rating: Low


To support paypal IPN functionality, DotNetNuke posts information to and receives status information from the paypal webservice. To do this it uses a name/value pair as part of the request, which is echoed to the form action attribute to ensure that any actions post to the correct page.

Issue Summary

It was possible to amend the name/value pairs and inject html/script which could allow hackers to perform cross-site scripting attacks.

Mitigating factors

If your site is not using paypal functionality, you can delete or rename (to a non aspx extension) the file at Website\admin\Sales\paypalipn.aspx

Affected DotNetNuke versions


Non-Affected Versions:


Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.3 at time of writing)



Security Policy

Technorati Tags: ,
Posted on Friday, May 8, 2009 8:41 AM DotNetNuke | Back to top

Copyright © Brian Scarbeau | Powered by: