Published: Feb 1, 2012

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke 6.0 introduced the DotNetNuke.RadEditorProvider in 6.0. It contains a function which allows users to test for the existence of files - this function is primarily used to detect by clientside scripts to detect the existance of images e.g. for image thumbnails

Issue Summary

The function uses direct filesystem methods to check for these files existence and not the DotNetNuke API so it can allow for the existence of a file with an unmapped extension to be made e.g. a .resources or .config file. Code has been added to ensure that only image types can be used.

Mitigating factors

This issue only allows for the existence of a file to be confirmed and does not allow the file to be read or altered. 

Affected DotNetNuke versions

• 6.0.0 - 6.1.2

Non-Affected Versions:

• Versions prior to 6.0.0

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (6.1.3 at time of writing)

Acknowledgments

Security Policy

Click here to read more details on the DotNetnuke Security Policy