Archive
Monthly
Go
|
|
DNN Blog
Apr
28
Posted by:
smehaffie
4/28/2007 12:45 AM
When it comes to security of DNN, the whole community is involved. As the users who use DNN everyday it is our responsibility to report any security holes to the DNN secuirity department according to the security policy (http://www.dotnetnuke.com/Community/SecurityPolicy/tabid/940/Default.aspx).
Gemini (support.dotnetnuke.com) is not the right place to submit security exploits found in DNN, especially if the submission includes the steps that can be used to take advantage of the exploit being reported. Remember, all the issues are viewable by anyone who wants to be take a look (That includes those who have other motives for browsing the issues database). On the other hand Gemini can be used to report security issues.
Now for those of you not sure the difference of what a security issue and security exploit is, below is a definiton of each:
Security Exploit: A way for a user to circumvent the internal secuirty of DNN, thus allowing someone to get access to areas of the program / site that they should not have access to.
Security Issue: Something that might not be considered good security practice but does not allow someone to circumvent the internal security of DNN. Some examples of this would be: Showing the users password in clear text instead of masking it, sending users password in email to user, etc.
When deciding whether to enter an item in Gemini or report it to the DNN security department according to the stated policy, just use common sense. Don't enter anyting in Gemini that another users could possilby use to get unauthorized access to other DNN site.
|