Published: Feb 1, 2012
Maximum Severity Rating: Low
DotNetNuke 6.0 introduced the DotNetNuke.RadEditorProvider in 6.0. It contains a function which allows users to test for the existence of files - this function is primarily used to detect by clientside scripts to detect the existance of images e.g. for image thumbnails
The function uses direct filesystem methods to check for these files existence and not the DotNetNuke API so it can allow for the existence of a file with an unmapped extension to be made e.g. a .resources or .config file. Code has been added to ensure that only image types can be used.
This issue only allows for the existence of a file to be confirmed and does not allow the file to be read or altered.
Affected DotNetNuke versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (6.1.3 at time of writing)
Click here to read more details on the DotNetnuke Security Policy