Date: 27 May 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AA-2009.0128 AUSCERT Advisory
DotNetNuke: Execute Arbitrary Code
27 May 2009
AusCERT Advisory Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Member content until: Wednesday, June 24 2009
Two security vulnerabilities have been corrected in DotNetNuke.
The vendor has provided the following information regarding these
"Whilst installing DotNetNuke if an error occurs, as the custom error
handling system may not be in place a redirect is performed to an
error handling page. The error handling page optionally reads back a
querystring parameter that may contain additional error information.
Whilst this parameter is typically encoded, an invalid tag could be
used to bypass the filter, potentially to unencoded content being
echoed to the screen and could allow for script or html injection
"DotNetNuke has a custom errorpage for handling displaying information
to users. The errorpage contains details of the current running
version. This information could be useful to hackers attempting to
profile an application." 
This vulnerability has been corrected in DotNetNuke 4.9.4.
 HTML/Script Code Injection Vulnerability
 Errorpage information leakage
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----