Published: April 05, 2007
Version: 1.0
Maximum Severity Rating: Medium
Background
DotNetNuke contains core code (FileServerHandler) to manage items that can be linked to such as files and URL's. This code allows the ability to apply user permisions and logging the number of clicks on the resource.
Issue Summary
Whilst the FileServerHandler validates user permissions for files, it implicitly trusts URL's, so it is possible for a hacker to publish a url to your site that does a redirect to another site. As the base url is your site, then it could fool users into believing that the url has been approved by your site e.g. a url like the following
http://www.dotnetnuke.com/linkclick.aspx?link=http://untrustedwebsite.com
would suggest to users that dotnetnuke.com trusted that site, when in fact it's not a link that has been published.
Note: To fix this issue, the handler now checks in the database to see if the link exists. If the link does not exist in the database then it is assumed to be a phishing request and will not redirect.
Further information on phishing can be found here.
Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.5 at time of writing).
Acknowledgments
DotNetNuke thanks the following for working with us to help protect users:
Security Policy
Click here to read more details on the DotNetnuke Security Policy