Learn More





DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

DotNetNuke, Your Best Defense!

Based on the sensational messages in mainstream media, I often hear the following question from consumers "Why does Microsoft have more security issues than other software platforms?". To this I typically respond "They don't... it is all relative" and "The bigger you are the larger the target you have on your back".



The fact is Microsoft dominates the information technology solutions landscape with its multitude of software products. As a result, when compared to other platforms, it has far more users who are pushing the boundaries of its software and utilizing it in unexpected ways. Not to mention, for those folks ( ethical or otherwise ) who make a living identifying and exposing software vulnerabilities, the Windows platform is a much more attractive target as it offers significantly greater opportunities in terms of exposure and financial gain.

This past week a vulnerability was exposed in the Microsoft ASP.NET framework by a couple of independent security 'researchers'. The exploit was characterized as an 'Oracle Padding' vulnerability and had the potential to expose confidential information for any ASP.NET website which was susceptible. Rather than following professional disclosure policies, the 'researchers' did not cooperate with Microsoft and decided to release the exploit details into the wild before any patch or workaround could be made available.

In support of my opening statement regarding "the bigger you are...", over the past 7 years the DotNetNuke community has grown to hundreds of thousands of production deployments worldwide and in the process has emerged as a more attractive target. This was validated this past week, when the 'researchers' chose DotNetNuke as their example application for demonstrating the Oracle Padding vulnerability during a conference in Buenos Aires, Argentina.

Unfortunately, this is not the first time we have had to deal with a security vulnerability in the DotNetNuke project. However, this also means that over the years we have been forced to establish security policies and procedures and a level of professional maturity which is unmatched in most open source projects. DotNetNuke has an elite Security Team led by Cathal Connolly and Brandon Haynes; two of the brightest minds from a software security perspective that I have ever had the pleasure of working with. Our Security Team, complemented by direct communication with the Microsoft Web Platform & Tools team, was an effective defense in dealing with the Oracle Padding vulnerability and protecting our community.

Taking immediate action on the workarounds provided by Microsoft, we were able to patch our own web properties and preserve the privacy of our customers and users within hours of the exploit being publicized. We utilized all of our available channels to notify folks in our community of the vulnerability, provided instructions on how to manually patch their websites, and included guidance on when to expect an official patch from DotNetNuke Corporation. Our world class engineering team stepped up; working overtime to ensure we could get a high quality release out in record time.

DotNetNuke 5.5.1 was officially released on Wednesday, September 22nd and we highly recommended that everyone install the upgrade as soon as possible ( please remember that the only way to ensure the integrity of your website is to stay abreast of current DotNetNuke releases ).

I should also mention that the members of our Security Team, as well as key individuals from our Product, Engineering, Sales, and Marketing teams will be present at DotNetNuke Connections at Mandalay Bay Resort & Casino in Las Vegas, Nevada on November 1-4, 2010. This is the third consecutive year for our premiere North American conference and there is no better opportunity for customers and users to interact directly with DotNetNuke Corporation leaders and decision makers.

The conference is once again partnered with DevConnections which provides unparalleled value in terms of allowing attendees to take advantage of the maximum amount of content from ALL conference tracks; from Scott Guthrie's keynote, to cutting edge demos of future ASP.NET and Visual Studio technology, to Sharepoint and SQL Server, and last but not least, in-depth sessions on every facet of DotNetNuke for both technical and non-technical audiences. DotNetNuke Connections offers the perfect mix of training and education, community engagement, business networking, giveaways and prizes, and entertainment ( yeah, don’t forget its in Las Vegas! ). I personally look forward to seeing many familiar faces at the conference, but I am even more excited to connect one-on-one with new DotNetNuke users.

In closing, please join me in commending the stellar efforts of our team in responding to the recent ASP.NET security situation. In addition, I would also like to mention that I deeply appreciate the patience and confidence of the DotNetNuke community as well as your contributions to the ongoing success and vitality of our ecosystem.


Comment Form

Only registered users may post comments.


2sic Daniel Mettler (124)
Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (21)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (203)
Chris Paterra (55)
Clinton Patterson (28)
Cuong Dang (21)
Daniel Bartholomew (2)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (269)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (52)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (37)
Will Strohl (163)
William Severance (5)
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?