DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


DNN 9.0.1 Security Bulletin Released

Today DNN Platform 9.0.1 has been released. This release resolves the following security issues:

·         2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations

·         2017-02 (Low) Authorization can be bypassed for few Web APIs

·         2017-03 (Low) Socially engineered link can trick users into some unwanted actions

·         2017-04 (Low) Unauthorized file-copies can cause disk space issues

Full details of all the above issues can be read at http://www.dnnsoftware.com/platform/manage/security-center

As always we recommend you upgrade as soon as possible, particularly when the release contains any “critical” fix.

Also, we recommend users check the Security Analyzer page in the PersonaBar to help them audit their sites’ security settings.

 

Acknowledgements

We would like to thank the following for responsibly disclosing issues to our security team, and allowing us the time to resolve them:

·         Saurabh B

Comments

T. Philip Perlman
Why don't these security alerts contain the affected versions? Most of my many, many sites are running V8.0.4. I'd like to know if this version (or any v7, v8) is affected and if there is any other remedy OTHER than upgrading to v9.0.1.

The problem is there is a major change in the administration UI, which will require re-educating users and ensuring that all modules and themes work as expected. This will be extremely burdensome and incur costs and time to clients if an upgrade is required.

Most developers pitch DNN as one of the most secure CMSs available, yet there does not seem to be a mature mechanism to alert developers when an issue arises. This could adversely impact the perceived security of DNN overall and make new customers less likely to consider it.

I try and routinely check the security alerts page but I sometimes miss them. Why isn't there an email alert subscription that we can join. I manage many sites and if I miss an alert it could have a devastating impact across many clients (e.g. 2016-06 and 2016-05 which caught many of us by surprise).
T. Philip Perlman Wednesday, February 1, 2017 2:42 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (28)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (29)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (146)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (10)
George Alatrash (2)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (272)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (53)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (39)
Will Strohl (164)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out