Published: Jan 19, 2011
Version: 1.0
Maximum Severity Rating: Critical
Background
DotNetNuke supports a system of granular permissions which allows administrators the ability to designate capabilities such as edit, view, administrate to pages and modules.
Issue Summary
A logical error was introduced which meant that a user who had "edit" access, also was able to access module settings. Once module settings were accessed, the user could grant themselves additional granular permissions.
Mitigating factors
This only affects sites where users are granted "edit" permissions i.e. sites where single users administrate all the content are not affected.
Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Acknowledgments
Community members David Lee & Roger Selwyn independantly reported the issue.
Security Policy
Click here to read more details on the DotNetnuke Security Policy