Version: 1.0

Maximum Severity Rating: Medium

Background

Under certain circumstances DotNetNuke could be vulnerable to a cross-site request forgery attack (http://en.wikipedia.org/wiki/Cross-site_request_forgery) against functions available to all users.

Issue Summary

DotNetNuke contains a number of layers of protection to ensure that one user cannot execute actions as another user. These include both encoding and encrypting data to ensure it isn't tampered with. In addition code exists to maintain data integrity over postbacks. However, if a site allows new users to register, these users can access a number of public functions shared by all users. They can then capture some of the site specific data integrity values and use these via a CSRF attack to alter data via these public functions for other users.

Mitigating factors

1. If the site doesn't support public or verified registration the hacker cannot create a user to gain access to copy the data integrity values.

2. For a CSRF to work against a different user it requires that the user is logged in - by default DotNetNuke does not use persistent cookies so this will not always be the case. Note theres a host setting to disable presistent cookies ("remember me").
 
3. a user has to be tricked into visiting a page on another site that executes the CSRF.

Affected DotNetNuke versions

All

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.3 at time of writing).


Acknowledgments

Eugene Wahrlich
MWR InfoSecurity
http://labs.mwrinfosecurity.com/

Security Policy

Click here to read more details on the DotNetNuke Security Policy