*** Note: This is not a DotNetNuke vulnerability, the issue exists in modules developed by an independant developer, www.dnn-modules.com ***
We take the issue of security very seriously with DotNetNuke, and often spend time investigating security issues with users. To date, these issues have always been caused by either missing Microsoft security patches, weak configuration (eg default username/passwords, anonymous FTP access granted in error etc.) or from other 3rd party applications. As we guarantee anonymity for any reports submitted to our security team, typically these reports are never discussed in public, except where agreed.
On Monday 1st May, a DotNetNuke user reported to the security@dotnetnuke.com alias that his website frontpage had been defaced, and he wasn't sure how. They were able to supply us a copy of the defaced page as well as other supporting evidence such as their IIS logs. Using these and other findings we were able to discover that the issue was not with DotNetNuke code, but rather with a commercial module from an independant module developer, dnn-modules.com.
We contacted the lead developer and explained our findings. They were very responsive to the findings, and in only a few hours had updated their relevant modules. As the vulnerability is not in DotNetNuke code, we cannot validate the fix, but we believe the issue is removed. The module developer (dnn-modules.com) emailed their users last night with the details as well as telling them how to remove the vulnerability. If you are a user of one or more of their modules, and have not received this email, we would encourage you to contact them @ support@dnn-modules.com to find out how to protect yourself from this vulnerability.