This is a serious security risk that can allow a hacker to delete your entire DNN site. If you have any modules installed on your portal by dnn-modules.com you need to go to their website and download an updated version of the BDPDT module.
I have several old DNN2.x sites that make use of the BDPDT module. But, to be honest I don't want to take the time out to upgrade all of the modules across all of these sites. - Luckily there is another workaround that you can do. (This does limit some of the functionality of some of the modules, but I didn't use the function, so there are no problems in my case).
To find out how to do this you need to contact
www.dnn-modules.comdirect, I am not posting any info on the security issue as it will expose any other sites using the module.
From reading Patrick Santrys blog, he has actually had a site deleted by a hacker:
"Although DotNetNuke is very secure system, whenever you install third party modules outside of the DotNetNuke development track you incur the risk that the developer of the module may not be as diligent as the DotNetNuke core team in finding security issues. I want to relay the following message so if you have installed any modules from ddn-modules.com, you should apply any updates or remove them entirely. The risk of this is HIGH, I personally had to restore a site yesterday that was deleted including all database tables dropped because of this MAJOR hole. Here is the message from the developer of the module that was released to their customers:"
Thanks to the diligent efforts of DotNetNuke Core Team, yesterday it came to our attention that a possible serious vulnerability existed in BDPDT code.
With the efforts of the Core Team and ourselves, we quickly removed the issue and HIGHLY RECOMMEND that any server that is connected to the internet should be updated with our latest versions on our site. Not doing so could leave your system exposed to this vulnerability. The BDPDT code has been changed to remove the issue, and also to check to see if your server has been compromised. BDPDT will email the Host Email address if it detects that this vulnerability was invoked on your server.
This email provides the steps to immediately fix existing sites and mitigate
the potential for a malicious attack.
Who is vulnerable?
- Any user of a module that uses BDPDT (effectively, any of our modules)
What is the vulnerability?
- We are not describing any details of this exploit on this email, however, if you wish to know more, then please contact us at support@dnn-modules.com for further details.
How to fix the vulnerability?
We apologize in advance for any inconvenience this may cause our users,
Richard Cox
DotNetNuke Modules