CVE-2008-6540

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Link	Resource
http://www.securityfocus.com/bid/28391	Exploit
http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx	Vendor Advisory
http://secunia.com/advisories/29488	Vendor Advisory
http://osvdb.org/43720
https://exchange.xforce.ibmcloud.com/vulnerabilities/41399
http://www.securityfocus.com/archive/1/489957/100/0/threaded

Configuration 1

cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10e:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.10d:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.7:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:4.5.2:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.8:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.6:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:1.0.9:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.8:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:4.3.5:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:4.0:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:*:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.11:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:3.0.7:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:3.3.5:*:*:*:*:*:*:* cpe:2.3:a:dotnetnuke:dotnetnuke:3.1.0:*:*:*:*:*:*:*

---

Published : 2009-03-30 01:30

Updated : 2018-10-11 08:57

---

NVD link : CVE-2008-6540

Mitre link : CVE-2008-6540

No products.

CWE-264