Core :: Security

Disabling support for persistent cookies

Mon, 30 Jun 2008 23:58:00 GMT

I've blogged before about how to make timeouts work correctly for persistent cookies, but thought I should also flag up a minor, but often requested, enhancement that will be in DotNetNuke 5.0. Whilst persistent cookies are useful for a lot of sites in some cases they're not approriate. Sites that require a higher level of security such as many financial, insurance, government or ecommerce sites often do not want to offer the choice of persistent cookies to their users - we've had a number of security audit's sent in to the security@dotnetnuke.com email alias where this has been flagged as an issue.

In 5.0, we've added an option so that the "remember me" checkbox can be removed. To access this, log in as a superuser and go to the Host Settings menu. There you'll see the option to enable the remember me checkbox. By default this will be checked to match the existing behaviour, simply uncheck this to remove the "remember me" checkbox the the user.

If you want to set this option before installation, you can add N as a node to the DotNetNuke.install.config

Removing the Administrator ability to upload skins

Thu, 26 Jun 2008 01:18:00 GMT

it never rains but it pours

Sat, 31 May 2008 15:43:00 GMT

As per the old proverb , we're seeing a lot of activity around security these days.

Security bulletins released

Thu, 20 Mar 2008 23:44:00 GMT

The 4.8.2 version of DotNetNuke has been released.

In many cases the best way to ensure you're running a secure version of DotNetNuke is to update to a version such as 4.8.2 that has no known vulnerabilities. Oddly enough, in this case the upgrade is not mandatory. The release mainly focuses on 3 security issues, 2 of which came from external sources, and one from a project team member (thanks Timo!). The first and third issues could allow a user with upload permissions a way to upload files/pages that contain code, and then use this code to escalate their permissions or gain access to code/resources. In both cases these need a minimum of Admin permissions.

The second issue is to deal with a rare case where the validationkey in your web.config does not get updated from the default value. If on your site you don't have Admin users or the known key (validationkey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902") in your web.config, then you can choose to wait to apply this upgrade. Please note, 4.8.2 also has code to fix an ajax issue, so if you use components that utilise MS Ajax, it's definately worth thinking about an upgrade.

If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent set of blog entries from Erik here and here.

You can read more details about these issues and our security policy here

Security Bulletin released

Tue, 04 Dec 2007 00:38:54 GMT

The newly released 4.7 version of DotNetNuke contain fixes for a number of security issues discovered during internal testing. The relevant bulletins can be found here and here.

You can read more details about these issues and our security policy here

Security Bulletin released - Potential Phishing issue

Mon, 23 Jul 2007 21:36:15 GMT

This issue involves a potential phishing risk in the login code, where malicious users could create a link to a legitimate login page with an untrusted location as the return path to fool users into thinking another site was the site they just logged into. Whilst this issue cannot cause harm on the users portal itself, as it can lead to a loss of confidence in a site, we elected to give this issue a status of medium.

We recommend users update their portal version to the latest 4.5.4 release to remove this issue. Please read the bulletin for further details.

You can read more details about these issues and our security policy here

Forums module updated to address security issues

Wed, 11 Apr 2007 04:23:00 GMT

A new version of the forum module has been released to deal with some critical issues

Security Bulletin released - Potential Phishing issue

Tue, 10 Apr 2007 23:48:00 GMT

This issue involves a potential phishing risk where malicious users could create a link that appeared to be approved by a site owner, that might convince an unwary user to visit an untrustworthy location. Whilst this issue cannot cause harm on the users portal itself, as it can lead to a loss of confidence in a site, we elected to give this issue a status of medium.

We recommend users update their portal version to the latest 4.5 release to remove this issue. Please read the bulletin for further details.

You can read more details about these issues and our security policy here

Security Bulletin released

Sat, 02 Dec 2006 00:00:00 GMT

The newly released 3.3.7/4.3.7 versions contain a fix for a medium security issue where anonymous users could gain access to vendor details, and create, delete and update them. There are some mitigating factors i.e. for this issue to have an effect you would have to have enabled vendors and be using the banners module, but we advise all users to update to the latest versions. The issue can also be resolved by running a sql script to update the approriate database record, please read the bulletin for further details.

You can read more details about these issues and our security policy here

Security Bulletin released

Fri, 17 Nov 2006 05:00:00 GMT

The newly released 3.3.6/4.3.6 versions, contain a number of security fixes. These were brought to our attention by David Kirby & Christiaan Mellars of Risborrow Information Systems Ltd. One of the bulletins discusses an issue rated as critical and the other discusses two problems fixed as part of a low impact issue. To fix these issues you are recommended to update to either 3.3.6 or 4.3.6.

You can read more details about these issues and our security policy here