Описание
DotNetNuke Default Machine Key Exposure
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2008-6540
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41399
- http://osvdb.org/43720
- http://secunia.com/advisories/29488
- http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx
- http://www.securityfocus.com/archive/1/489957/100/0/threaded
- http://www.securityfocus.com/bid/28391
Пакеты
Наименование
DotNetNuke.Core
nuget
Затронутые версииВерсия исправления
< 4.8.2
4.8.2
Связанные уязвимости
nvd
почти 17 лет назад
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.