Published: September 10, 2008

Version: 1.0

Maximum Severity Rating: Critical

Background

DotNetNuke supports using parameters to change the current skin, to allow users to preview skin files and also to dynamically load functions on request.

Issue Summary

Skin files are based on asp.net user controls (ascx) but add additional functionality such as security validation. Due to a weakness is validating the parameter it is possible to load an existing ascx file directly rather than loading a skin file that then loads the control. In a limited number of scenarios this can allow certain existing controls to subvert the security mechanism and could result in users gaining access to admin or host functions. Code has been added to close this authentication blindspot. 

Mitigating factors

This vulnerability only allows existing ascx files to be loaded, many of which have additional security checks, ensuring that they could not be exploited.

Affected DotNetNuke versions

• 2.0 - 4.8.4

Non-Affected Versions:

• All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.0 at time of writing)

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

• Brandon Haynes

Security Policy

Click here to read more details on the DotNetnuke Security Policy