=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN140
_____________________________________________________________________

DATE                      : 20/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running DotNetNuke versions 5.3.0, 5.3.1.

======================================================================
http://www.dotnetnuke.com/News/Securitybulletinno34/tabid/1531/Default.aspx
______________________________________________________________________

 System mails stored in cleartext in User messaging

Published: Apr 19, 2010

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke added support for user messaging in 5.3.0. This system is
also leveraged for automatically generated messages known as system
messages.

Issue Summary

Whilst system messages are often innocuous and simply warn a user if their
profile has been updated (e.g. by an administrator) or if they've been added
to a security role, there are a number of system messages which can contain
sensitive data, in particular password reminders contain data that users
would not want stored in clear text


Mitigating factors

N/A


Affected DotNetNuke versions

5.3.0 - 5.3.1


Non-Affected Versions:

All others


Fix(s) for issue

To fix this problem, you are recommended to update to the latest version
of DotNetNuke (5.4.0 at time of writing). Please note, if you've been
running 5.3.0 or 5.3.1 you may already have messages that you would want
to clear. Upgrading to 5.4.0 does not automatically remove these, as there
may be many legitmate messages from portal administrators. If you believe
that there are no messages you wish to retain then you can remove all
messages sent by a portal administrator using a query similar to:

DELETE FROM [dbo].[Messaging_Messages] where [FromUserID] in (select administratorid from portals)

If you wish to review the set of messages first, a query similar to
this will allow you to view the messages and determine which to delete

SELECT

* FROM [dbo].[Messaging_Messages] where [FromUserID] in (select administratorid from portals)


Acknowledgments

Stefan Cullman


Security Policy


Click here to read more details on the DotNetNuke Security Policy


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================