=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN488
_____________________________________________________________________

DATE                      : 01/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running DotNetNuke versions prior to 5.2.0.

======================================================================
http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno31/tabid/1450/Default.aspx
http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno30/tabid/1449/Default.aspx
______________________________________________________________________

HTML/Script Code Injection Vulnerability

Published: Nov 26, 2009

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has a search function which redirects to a custom results page.


Issue Summary

Whilst the search function filters for dangerous script , recently code
was added to show the search terms and this failed to filter. The code
has been refactored to filter the input to ensure that cross-site scripting
attacks cannot occur.


Mitigating factors

To protect against attacks that attempt to use invalid URL's, users can
install the free Microsoft URLScan utility
(http://www.microsoft.com/technet/security/tools/urlscan.mspx). This is
a recommended install as it offers protection against a number of other
non-DotNetNuke specific URL based issues.


Affected DotNetNuke versions

4.8 - 5.1.4


Non-Affected Versions:

N/A


Fix(s) for issue

To fix this problem, you are recommended to update to the latest version
of DotNetNuke (5.2.0 at time of writing)


Acknowledgments

Scott Bell, Security Consultant, Security-Assessment.com


Security Policy


Click here to read more details on the DotNetNuke Security Policy

_____________________________________________________________________


Install Wizard information leakage

Published: Nov 26, 2009

Version: 1.0

Maximum Severity Rating: Low


Background

DotNetNuke has an install wizard to support installing and configuring
instances.


Issue Summary

The install wizard has code which evaluates the database and assembly
versions to determine if an upgrade is required. It is possible to view
this information as an anonymous user.This information could be useful
to hackers attempting to profile an application.

As the information is important it will still show if the versions differ,
but if they are in sync which is the normal case, the version is not revealed.


Mitigating factors

N/a


Affected DotNetNuke versions

    * 4.0 - 5.1.4


Non-Affected Versions:

    * All other versions


Fix(s) for issue

To fix this problem, you are recommended to update to the latest version
of DotNetNuke (5.2.0 at time of writing)


Acknowledgments

Dan Gilleland, Dynamic Generation Inc.


Security Policy


Click here to read more details on the DotNetnuke Security Policy


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================