Register | Log In
Store Download Support Blogs Forums Contact
News > Security Policy > Security Bulletin no.1

Vulnerability in DotNetNuke could allow restricted file types to be uploaded

Published: August 02,2006

Version: 1.1 (edited August 07,2006) - added note to remove FTB provider folder and associated dll's.

Maximum Severity Rating: Medium

Background

To support a number of core functions and modules, DotNetNuke ships with a WYSIWYG editor control, a Word-style editor that allows users to add and format html. Rather than hard-code one particular product as the editor, DotNetNuke uses a html editor provider to allow administrators to easily change to other editor's. The default html editor that is shipped with DotNetNuke uses the freetextbox component.

Issue Summary

As a security measure, DotNetNuke restricts the filetypes that can be uploaded. An issue with the freetextbox component has been reported, where users can upload filetypes that are not allowed by DotNetNuke, thereby avoiding the built-in filtering. This could be used as the basis to gain unauthorised access to portal files or data.

Mitigating factors

To be affected, a site would have to grant edit permissions to one or more users for a module that uses the editor component such as the text/html module. In addition, the user would have to have permission to upload files. Sites that do not grant these permissions to users, or do not use the freetexteditor implementation of the html editor provider are not vulnerable to this issue e.g. a site where all the content is maintained only by one administrator who has host and portal admin permissions would not be affected.

Affected DotNetNuke versions

  • 3.1.1, 3.2.0,3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.3.0, 4.3.1, 4.3.2

Non-Affected Versions:

  • any version prior to 3.1.1
  • 3.3.3/4.3.3 and above

Fix(s) for issue

To fix this problem, you can use either of these two options :

Option 1

Upgrade your version to either 3.3.3/4.3.3 or later - this is the recommended solution

Option 2

Use an alternative html editor provider, such as the free FCKEditor . Please note, you will also have to remove the existing FTB editor and associated dll's i.e. delete the HtmlEditorProviders\Ftb3HtmlEditorProvider folder from your installation, and remove FreeTextBox.dll and DotNetNuke.Ftb3HtmlEditorProvider.dll from your bin folder.

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

  • Peter Schotman
  • Richard from DNN-modules

Security Policy


Click here to read more details on the DotNetnuke Security Policy

Attend A Webinar
Free Demo Site
Download DotNetNuke Professional Edition Trial
Have Someone Contact Me

Like Us on Facebook Join our Network on LinkedIn Follow DNN Corporate on Twitter Follow DNN on Twitter

Advertisers

Sponsors

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates Snowcovered.com where users purchase third party apps for the platform.
Copyright © 2002-2012 DotNetNuke Corp. / Terms of Use / Privacy
Hosted by MaximumASP