Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke contains support for user profile properties to capture values such as city, state etc., as well as any custom properties required for each user

Issue Summary

At present profile properties automatically strip dangerous XSS characters from data. In addition they support regular expressions to allow sites to configure the allowable characters. To conform to security best practices we've added an additonal htmlencoding to ensure dangerous html cannot be output.

Mitigating factors

1. Profile properties contain support for validating data passes a regular expression match. A site can configure these to ensure dangerous values do not slip through.

2. The user profile function is fully templatable, a site can configure this to minimise or eliminate potential issues.

3. The core already implements HttpOnly cookies to stop XSS attacks potentially stealing authentication cookies.

Affected DotNetNuke versions

5.3.0 - 5.4.2

Non-Affected Versions:

All others

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.4.3 at time of writing).

Acknowledgments

Corneliu I. Tusnea
www.OneSaas.com

www.twitter.com/corneliu

Security Policy

Click here to read more details on the DotNetNuke Security Policy