Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-6540

Overview

Vulnerability Score 5.1 5.1
CVE Id CVE-2008-6540
Last Modified 19 Aug 2009 01:24:01
Published 29 Mar 2009 09:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2008-6540

Summary

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Vulnerable Systems

Application

  • Dotnetnuke 1.0.10d

  • Dotnetnuke 1.0.10e

  • Dotnetnuke 1.0.6

  • Dotnetnuke 1.0.7

  • Dotnetnuke 1.0.8

  • Dotnetnuke 1.0.9

  • Dotnetnuke 2.1.1

  • Dotnetnuke 2.1.2

  • Dotnetnuke 3.0.11

  • Dotnetnuke 3.0.7

  • Dotnetnuke 3.0.8

  • Dotnetnuke 3.1.0

  • Dotnetnuke 3.3.5

  • Dotnetnuke 4.0

  • Dotnetnuke 4.3.5

  • Dotnetnuke 4.5.2

  • Dotnetnuke 4.8.1


References

XF - dotnetnuke-webconfig-weak-security(41399)

BID - 28391

BUGTRAQ - 20080321 DotNetNuke Default Machine Key Exposure

CONFIRM - http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx

SECUNIA - 29488

OSVDB - 43720


Last Updated: 27 May 2016 10:49:14