Published: September 10, 2008
Version: 1.0
Maximum Severity Rating: Critical
Background
DotNetNuke supports using parameters to change the current skin, to allow users to preview skin files and also to dynamically load functions on request.
Issue Summary
Skin files are based on asp.net user controls (ascx) but add additional functionality such as security validation. Due to a weakness is validating the parameter it is possible to load an existing ascx file directly rather than loading a skin file that then loads the control. In a limited number of scenarios this can allow certain existing controls to subvert the security mechanism and could result in users gaining access to admin or host functions. Code has been added to close this authentication blindspot.
Mitigating factors
This vulnerability only allows existing ascx files to be loaded, many of which have additional security checks, ensuring that they could not be exploited.
Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.9.0 at time of writing)
Acknowledgments
DotNetNuke thanks the following for working with us to help protect users:
Security Policy
Click here to read more details on the DotNetnuke Security Policy