Published: July 18, 2007

Version: 1.0

Maximum Severity Rating: Medium

Background

DotNetnuke allows administrators to utilise a standard login page or create their own custom login page. When an unauthenticated user arrives at a site and attempts to access a protected resource they will be redirected to the correct login page. As part of this process the original request for the protected resource is remembered so that once the user has succesfully logged in, they can be redirected to the originally requested resource.

Issue Summary

The return path for the protected resource uses a querystring to store the url. This value is an implicitly trusted URL, so it is possible for a hacker to publish a url to your site that already contains this querystring parameter. In this case the hacker could point it to an untrusted source. A fix has been added to ensure that only paths relative to the website are supported.

Further information on phishing can be found here.

Affected DotNetNuke versions

• All versions

Non-Affected Versions:

• 4.5.4

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.5.4 at time of writing).

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

• Niel Nielsen of FortConsult A/S
• Graeme Neilson, Security Consultant, Aura Software Security

Security Policy

Click here to read more details on the DotNetnuke Security Policy