Cathal Connolly

a new solution to an old problem

Mon, 31 Mar 2008 21:14:00 GMT

Ever since the 4.x releases of DotNetNuke theres been a long standing issue with the behaviour of temporary and persistent cookies where there wasn't a way to set short periods of temporary cookie expiration and to specify longer periods for user who don't want to regularly log in. This was caused by a change in the way asp.net 2.0 handles the different types of authentication cookies (for the full background on this see http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/1704/Default.aspx) .

After a few attempts, and with a helpful hint from Don Worthley, we finally got code in the 4.8.1 release that addresses this problem, and recently updated the dotnetnuke.com configuration to take advantage of this. At the minute if you log into dotnetnuke.com, but don't check the "remember me" checkbox a temporary cookie is created with a timeout of 2 hours. If you check the "remember me" checkbox, a persistant cookie is created with a timeout of 2 weeks. To work around this limitation of asp.net 2.0, we added a new web.config key, PersistentCookie, that get's read during login and some custom code then updates the cookie values approriately if "remember me" has been selected. This allows site owners to select values that allow for security for temporary users and convenience for those who want persistent cookies..

If you want to make similar changes to your own site, edit your web.config and update the following nodes to whatever value you require (the approriate fields are identied in bold below - all values are in minutes i.e. 60 minutes*24 hours*14 days=20160).

timeout="120" cookieless="UseCookies" />

value="20160" />

Security bulletins released

Thu, 20 Mar 2008 23:44:00 GMT

The 4.8.2 version of DotNetNuke has been released.

In many cases the best way to ensure you're running a secure version of DotNetNuke is to update to a version such as 4.8.2 that has no known vulnerabilities. Oddly enough, in this case the upgrade is not mandatory. The release mainly focuses on 3 security issues, 2 of which came from external sources, and one from a project team member (thanks Timo!). The first and third issues could allow a user with upload permissions a way to upload files/pages that contain code, and then use this code to escalate their permissions or gain access to code/resources. In both cases these need a minimum of Admin permissions.

The second issue is to deal with a rare case where the validationkey in your web.config does not get updated from the default value. If on your site you don't have Admin users or the known key (validationkey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902") in your web.config, then you can choose to wait to apply this upgrade. Please note, 4.8.2 also has code to fix an ajax issue, so if you use components that utilise MS Ajax, it's definately worth thinking about an upgrade.

If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent set of blog entries from Erik here and here.

You can read more details about these issues and our security policy here

Security Bulletin released

Tue, 04 Dec 2007 00:38:54 GMT

The newly released 4.7 version of DotNetNuke contain fixes for a number of security issues discovered during internal testing. The relevant bulletins can be found here and here.

You can read more details about these issues and our security policy here

Security Bulletin released - Potential Phishing issue

Mon, 23 Jul 2007 21:36:15 GMT

This issue involves a potential phishing risk in the login code, where malicious users could create a link to a legitimate login page with an untrusted location as the return path to fool users into thinking another site was the site they just logged into. Whilst this issue cannot cause harm on the users portal itself, as it can lead to a loss of confidence in a site, we elected to give this issue a status of medium.

We recommend users update their portal version to the latest 4.5.4 release to remove this issue. Please read the bulletin for further details.

You can read more details about these issues and our security policy here

Forums module updated to address security issues

Wed, 11 Apr 2007 04:23:00 GMT

A new version of the forum module has been released to deal with some critical issues