Geeks With Blogs

News

2004-2009
Celebrate Computer Science Education
Locations of visitors to this page
Brian Scarbeau Insights from a seasoned Computer Science Trainer

As I travel around speaking at Code Camps and talking to DotNetNuke users, it amazes me as to what version of DotNetNuke they are running their web portal on. With DotNetNuke version 5 being the future of DotNetNuke, there are many installs that are still running on version 3 and early versions of 4.

I took the time to review the documented issues of past versions from the DotNetNuke site and in the future I plan on directing people to that site so they can see why they should upgrade to more current versions.

Here is one issue that might be of interest if you are running an older version of DotNetNuke that you should be aware of:

Published: December 24, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke uses role membership to control access to content and modules

Issue Summary

An issue exists where a user with login details to a DotNetNuke site could add additional roles to their user account. Code has been added to stop this happening.

Mitigating factors

This vulnerability can only be exploited by users with a valid username/password combination on a website.

Affected DotNetNuke versions

  • 4.5.2 - 4.9

Non-Affected Versions:

  • All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.1 at time of writing)

Now, is this what you want your users to do? Add additional roles to their user accounts? I doubt it!

Here's another that's even scarier:

Published: September 10, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke supports using parameters to change the current skin, to allow users to preview skin files and also to dynamically load functions on request.

Issue Summary

Skin files are based on asp.net user controls (ascx) but add additional functionality such as security validation. Due to a weakness is validating the parameter it is possible to load an existing ascx file directly rather than loading a skin file that then loads the control. In a limited number of scenarios this can allow certain existing controls to subvert the security mechanism and could result in users gaining access to admin or host functions. Code has been added to close this authentication blindspot. 

Mitigating factors

This vulnerability only allows existing ascx files to be loaded, many of which have additional security checks, ensuring that they could not be exploited.

Affected DotNetNuke versions

  • 2.0 - 4.8.4

Non-Affected Versions:

  • All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.0 at time of writing)

This is just two of the 24 issues that have been documented. I hope this gets your attention if you're an owner of a DotNetNuke portal. Get your web developer to upgrade your site to a more current version of DotNetNuke.

I encourage you to read more of the issues yourself.

Technorati Tags:
Posted on Wednesday, February 18, 2009 7:11 AM | Back to top

Copyright © Brian Scarbeau | Powered by: GeeksWithBlogs.net