Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
News › Security Policy › Security Bulletin no.5 Register  |  

Information Leakage

Published: November 16, 2006

Version: 1.0

Maximum Severity Rating: Low

Background

When users are attempting to access portal functions, we strive to strike a balance between providing informative messages, but not revealing unnecessary detail to people attempting to profile the application.

Issue Summary

Two areas have been altered to fix issues where more information that was necessary was made available.

  1. When attempting to access a a page that the user does not have permission to, the user is correctly redirected to the login page. However, the page title preserves the name of the originally requested page, which has been determined to be an unnecessary information leakage.
  2. When logged in, if the user attempts to access another users profile, they are correctly redirected to a failure page. However, at that point the user can tell by the error message if the user account they tried to access is a standard user or a superuser.

Mitigating factors

N/A

Affected DotNetNuke versions

  • All 3.x and 4.x versions

Non-Affected Versions:

  • All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.6/4.3.6 at time of writing)

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

  • Christiaan Mellars of Risborrow Information Systems Ltd.

Security Policy


Click here to read more details on the DotNetnuke Security Policy
 


Sunset Hill Solutions - Consulting and Development
We offer general DNN consulting services - including custom module development and commercial module integration/setup.
www.sunsethill.ca 		MaximumASP
MaximumASP provides a wide array of web hosting plans to fit any hosting need. We also provide software and services needed to keep it running optimally.
MaximumASP.com 		Mad Development: dotnetnuke design and development
We are an expert Dotnetnuke shop specializing in developing solutions that merge the requirements of design and branding, content management, ecommerce, search engine optimization and business logic.
www.MadDevelopment.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP