Download DOWNLOAD
Forums FORUMS
Blogs BLOGS
Forge FORGE
Help HELP
Marketplace MARKETPLACE
DotNetNuke Home
 
Search
You are here >   News > Security Policy > Security Bulletin no.1
Register  |  Login
Purchase

Vulnerability in DotNetNuke could allow restricted file types to be uploaded

Published: August 02,2006

Version: 1.1 (edited August 07,2006) - added note to remove FTB provider folder and associated dll's.

Maximum Severity Rating: Medium

Background

To support a number of core functions and modules, DotNetNuke ships with a WYSIWYG editor control, a Word-style editor that allows users to add and format html. Rather than hard-code one particular product as the editor, DotNetNuke uses a html editor provider to allow administrators to easily change to other editor's. The default html editor that is shipped with DotNetNuke uses the freetextbox component.

Issue Summary

As a security measure, DotNetNuke restricts the filetypes that can be uploaded. An issue with the freetextbox component has been reported, where users can upload filetypes that are not allowed by DotNetNuke, thereby avoiding the built-in filtering. This could be used as the basis to gain unauthorised access to portal files or data.

Mitigating factors

To be affected, a site would have to grant edit permissions to one or more users for a module that uses the editor component such as the text/html module. In addition, the user would have to have permission to upload files. Sites that do not grant these permissions to users, or do not use the freetexteditor implementation of the html editor provider are not vulnerable to this issue e.g. a site where all the content is maintained only by one administrator who has host and portal admin permissions would not be affected.

Affected DotNetNuke versions

  • 3.1.1, 3.2.0,3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.3.0, 4.3.1, 4.3.2

Non-Affected Versions:

  • any version prior to 3.1.1
  • 3.3.3/4.3.3 and above

Fix(s) for issue

To fix this problem, you can use either of these two options :

Option 1

Upgrade your version to either 3.3.3/4.3.3 or later - this is the recommended solution

Option 2

Use an alternative html editor provider, such as the free FCKEditor . Please note, you will also have to remove the existing FTB editor and associated dll's i.e. delete the HtmlEditorProviders\Ftb3HtmlEditorProvider folder from your installation, and remove FreeTextBox.dll and DotNetNuke.Ftb3HtmlEditorProvider.dll from your bin folder.

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

  • Peter Schotman
  • Richard from DNN-modules

Security Policy


Click here to read more details on the DotNetnuke Security Policy
ADefHelpDesk
A Free Open Source DotNetNuke Help Desk / Support Desk / Ticket Tracker Module
www.ADefHelpDesk.com 		Monitoring for DotNetNuke Applications
Monitor DotNetNuke applications and interdependent infrastructure for performance and reliability with WildMetrix. Utilize WildMetrix to gain insight into the inner workings of your web applications and offer a proactive support model to your customers. Ask about the WildMetrix special offer to the DotNetNuke Community.
www.ascendview.com 		Full Service DotNetNuke Solutions
Enterprise Portals, Websites and Webshops integrated with your backoffice if needed. All solutions are delivered as software as an service, which means up-to-date DotNetNuke solutions without headaches.
www.we-do-it.nl

DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation

Hosted by MaximumASP