According to Tony Valenti, CEO of Powerdnn.com a leading DotNetNuke hosting company, numerous security vulnerabilities have been recently detected in DotNetNuke core software.

Your site may be vulnerable to the following attacks:

1. Administrator account permission escalation - A security vulnerability that could allow an admin user to upload a file to allow full Host acccess to the portal.
2. Validationkey can be a known value - Under a rare set of circumstances, your website will encrypt data using a known-default key.
3. Ability to create dynamic scripts on server - A security vulnerability that would allow server-side execution of server-side application logic.
4. Any Website Viewer can Alter your web.config - A security vulnerability in DotNetNuke exists that allows any website visitor to alter your web.config file.
5. Any Website Viewer can execute SQL Scripts on your Database - A security vulnerability in DotNetNuke exists that allows any website vistor to run SQL commands against your DotNetNuke database. This can result in complete site corruption.

I am running all of our sites on dedicated servers at PowerDNN and have been assured that the patch is being applied to all PowerDNN hosting customers.

If your are concerned about your site, I will post a link on DNNprofessor.com on Wednesday the 21st  to run the PowerDNN security scanner to see if your site is susceptible. You do not need to be a PowerDNN client to run the security scan.

Until we hear from the DotNetNuke core team, it is better to be safe than sorry.

I will be keeping up on this situation and post new information on DNNprofessor.com as it becomes available.

Buck Anderson