Published: Feb 17, 2010

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke supports the concept of multiple portals working within one website (e.g. www.mysite.com). These portals can take the form of a "child" or the main portal (e.g. mysite.com/child) or else a "parent" (e.g. parent.mysite.com). As each portal is unique, if a user moves between portals they are automatically expired and their permissions are regenerated - meaning that an Administrator on one portal is not automatically an Administrator on another.

Issue Summary

There is a weakness in how the users roles are expired that opens a window to allow a user with rights on one portal, a possibility of gaining those rights on another portal.

Mitigating factors

There are a number of substantial mitigations for this issue:

• This issue is only possible on portals within the same website instance i.e. under the same copy of the dotnetnuke code in IIS. It is not possible to do this with details from one instance (i.e. IIS website) to another instance, even on the same server.
• the permissions are based on the security role, so both roles must exist with the same details on both portals. By default only the Administrators role exists with the same details on all portals.
• The window to do this is limited by an automated function which expires the users security roles every minute. As potential hackers need to log into one portal, capture credentials, then log out and log into the other portal and use the captured credentials, this minimises greatly the risk of exposure.
• A potential hacker must have authorized accounts on 2 or more portals , and one of these must have additional security roles.

Affected DotNetNuke versions

All

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.2.3 at time of writing)

Acknowledgments

Kevin Southworth

Security Policy

Click here to read more details on the DotNetNuke Security Policy