Published: March 14, 2008
Version: 1.0
Maximum Severity Rating: Critical
Background
For the 3.0 release of DotNetNuke the security model was changed to use a validationkey to encrypt the forms authentication cookie and the viewstate. Under certain rare circumstances this key may not be updated during install/upgrade, and this information could allow a potential hacker the ability to access the portal as any user, including both the host and admin accounts.
Issue Summary
During installation of new releases, or upgrade of any release prior to 3.0, DotNetNuke automatically generates a unique validationkey to secure the users forms authentication cookie and viewstate. If this value is not updated, the "known" value can be used to access the portal. To install DotNetNuke the user must have write access to the root folder. For the validationkey to fail to be updated, the same user must fail to update this file i.e. either not have write permissions to it or else the file is set as "read only".
Mitigating factors
This issue will only manifest under a reasonably rare set of permissions.
Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
1. To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.2 at time of writing)
2. Check your web.config file. If the validationkey value is not set to "F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902" then your portal does not suffer from this issue.
Acknowledgments
Brian Holyfield - Gotham Digital Science
Security Policy
Click here to read more details on the DotNetnuke Security Policy