Apr 05, 2005 07:57 PM|sbwalker|LINK
Any 3.0.12 installation of DotNetNuke would have used the default MachineKey values ( because the issue was not identified until last week ). The only way to change the Machine Key values on upgrade would be to write a utility which allows you to enter the
old machine key value and new machine key value - then the code would need to read all of the user accounts in the system, decrypt the password with the old key, encrypt the password with the new key, and save the user account. This is not something which
can be accomplished as part of the auto upgrade process in DNN. But you also need to consider that in order to exploit this security issue, somebody would need to get unauthorized access to your DNN database... so the risk is not as high as it sounds. At least
from 3.0.13 forward we have a mechanism in place on new installs which generates unique MachineKeys per install to further reduce the risk.