Re: Removing the Administrator ability to upload skins

I think so, too

Re: Removing the Administrator ability to upload skins

Hi Cathal

Thanks for the wonderful topic. However, I think 5.0 is going to pose some serious challenges for our intitiative based on DNN called iFlaker (www.iflaker.com). We have opened DNN to work pretty much like start up page sites such as Pageflakes and allow administrators to upload their skins. Now that you will be doing away with it, I am not sure if it will be worth our while to stay with the latest DNN.

Also reagrding the uploading of modules, We would like to be able to upload modules just for a specific portal or certail group of portals. This would help in a case where someone buys a module for their portal only not for everyone to benefit from it.

Nonetheless, I understand your point of view, but for an initiative like iFlaker I hope we can find a better way.


G

Re: Removing the Administrator ability to upload skins

Thanks, we will also look into building that module for uploading skins and module by administrators.

I will also play around with the premium module setting.

I've got a question and I am not sure if this is the right place to ask. As you might have seen how www.iflaker.com works. Let say someone went into iflaker and customised it and then signed up and call their portal 'gnkuna' which then makes their child portal http://www.iflaker.com/gnkuna. Now, they decide to personalise their URL to http://www.gnkuna.com. Is it possible to link http://www.gnkuna.com to that child portal and use the DNN billing in iflaker. I am asking this because although working on iFlaker is free for the end user, one of our five revenue generating models would be to bill users as soon as they want to personalise their URLs and host with us.


G

Re: Removing the Administrator ability to upload skins

I think this is a backward step. Going forward DNN should be providing the framework for super users to provide granular access to both Admin and Host functions to other user roles.
DNN should provide the security to ensure that the permissions a super user doles out aren't usurped.
As to being a security issue we currently have a default setting that prevents an Administrator from uploading skins so unless an Administrator can change this there isn't a security problem from the Administrator vector.
I do agree that a module that will allow the uploading of 'non active' skins is a great idea.
Antony

Re: Removing the Administrator ability to upload skins

Suggestion: What about BOTH?
In the Host Admin, give the host the ability to Grant/Deny that privilege with a check mark for each site in the portal. Some Site Administrators have the skill and knowledge to perform such a change and some just do not or should not. By controlling that ability via permissions granted by the Host would be a great solution/compromise.

Re: Removing the Administrator ability to upload skins

I would appreciate also the solution that host can grant skin upload to trusted admins. In a corporate environment with lots of branch offices otherwise it would mean a great loss of flexibility. E.g. if a subsidiary wants to promote some marketing with a microsite: you have to go to the host and ask him very polite to upload a skin…
There are environments with more security issues and some with more trusted users. So please let the decision by the host what he grants.

Re: Removing the Administrator ability to upload skins

Keep in mind that a user with upload privileges could inadvertently upload a third-party skin with a malicious payload – merely trusting the uploading user isn’t enough. This has always been a feature fraught with risk. I’m happy to see it go.

I suspect that the core team’s main motivation here was to move this sort of risky vulnerability out of the framework and let them focus on more important requirements. This slack will certainly be taken up by third party modules, so any host who wants to accept this risk will have an avenue with which to do so. Everyone wins?

Re: Removing the Administrator ability to upload skins

We are using DotNetNuke only on secure intranet corporate environment. Users don't have access/rights to the operating system, command promptm usb-ports or the world wide web.
So, what are the risks? I agree with the post from bbuell:
"So controlling that ability via permissions granted by the Host would be a great solution/compromise".

Re: Removing the Administrator ability to upload skins

@cathal We currently allow Admin's and other users to upload files into DNN. The host can change the list of allowable files to include html, ascx or any other extension for that matter. What is the difference in allowing this but not allowing the host to delegate the responsibility for uploading skins to administrators?
Antony

Re: Removing the Administrator ability to upload skins

You know, in teaching my class this week I thought of a way you could really hack a website through the skin uploads. Talk about timing, I guess I don't have to bring this up as a security issue for Cathal :)

Re: Removing the Administrator ability to upload skins

If a host explicitly enables a user to upload potentially dangerous payload (ie. executables, aspx, ascx, etc) then they are assuming full responsibility for that risk. However, if the framework enables (in fact encourages) a host to grant seemingly innocent functionality to a another user that could compromise the platform, that is a flaw in the platform. If a host gives another user the capability (by enabling skin upload) to make themselves a host user (which is the kind of risk we are talking about), then they can already do that by making them a Super User. If that is not the desired functionality, than you are agreeing that this is not a good "feature"...

This is simply a case where the best rule is to safeguard the platform and enable the extensions market to provide this functionality to those that desire it and are willing to accept that risk (which is perfectly valid in some scenarios). The number of acceptable security breaches due to this this "feature" in the platform itself should be -0-.

The reality is that there is no way to delegate this access to a user and systematically protect the platform from abuse at the same time (we'd have to write our own AV software to even come close). So if it is an explicit decision to weaken the security of the platform (for your specific use case), then it should also be an explicit decision to introduce the features that make that possible (ie. by adding the file extensions to your safe uploads, or adding a module which circumvents these safeguards).

We cannot guarantee that people choose the most secure options (they will vary according to your use case). But we must do everything we can to ensure that nobody gets themselves in trouble unintentionally.

Breaking administration modules into the realm of the configurable (as we are with 5.0) is going to make for a very exciting new generation of module development. It will be exciting to see how that takes shape.

Re: Removing the Administrator ability to upload skins

@Cathal I agree with you about never allowing the uploading of ascx/aspx files what I was intending with the example is that on one hand we are looking at 'physically' preventing the uploading of skins by a user authorised by the person who is in total control of the install but leaving probably a larger hole by allowing the host to allow the uploading of any type of file. From a security standpoint I have been taught you don't rely on what you believe a reasonable person would do. its the 'unreasonable' people that cause the problems. If there is a security risk then you use a physical control.
Another point to consider is of all the DNN installs out there, how many have host users who are experienced with web security and would understand the issues with the allowing of active files? In the event of an Admin user not being able to upload skins the inexperienced are going to provide more users host rights so work they see as necessary can be done by others.
Those installs that need to meet specified security standards and audits are going to be configured by a professional and the more secure ones be modified to a particular purpose.
I still think allowing the 'host' user decide on the security level they want to implement and providing the tools to provide a secure configuration is still the best way. Just the same that a Domain Administrator in windows decides who is responsible enough to be given rights that could compromise a system/network.
Though, for those who might not realize the implications of allowing skin uploads or widening the filter of files that can be uploaded a nice big RED warning message would be good.
I still agree that it would be great for some form of module that allowed the uploading of skins/containers comprising only of straight HTML, client side JS, CSS, image and XML config files which are then parsed by the system. A while back I obtained some pricing for a project that would fulfill this, the time quoted were for a couple of days work which doesn't appear to be a lot.
Apologies for keeping on about this but as you can probably tell I do feel pretty strongly about allowing the host deciding the level of security of their install.
Antony

Re: Removing the Administrator ability to upload skins

I've got another suggestion, I am not too sure if this is feasible or not. The default skins that ship with DNN dont have any code on the ascx or even the code-behind (ie ascx.vb). For public skin upload, won't it be possible to check (like craping the ascx) if there is embedded code or code-behind and then reject the skin if there is some kind of code. A host account can of course be able to uploud skins with code and if an administrator needs to uplaod skin with code they will have to go through the hoster first.

Since you mention DNN 5.0 on this blog and I also heard that it is on beta, can you lead me to where I can get a copy so I can start playing with it? At iFlaker (www.iflaker.com), we would like to keep up with the latest DNN.


G

Re: Removing the Administrator ability to upload skins

I think it is a good step for security as well as consistency to disallow admins the right to upload a skins.
I predict that before 5.0 comes out, some module developer will provide us with a nifty module that allows admins (and other users) to upload skins.

Re: Removing the Administrator ability to upload skins

@mrswoop
In the end it should be consistent. The way DNN wants to go is do everything that can be done to make sure people don't get into trouble unintentionally. I agree with the intent just not the implementation in this case.
Is there really a difference in providing an option for a host user to allow an administrator to upload skins or allowing the same host user to change the types of files that can be uploaded? Both appear to offer the same level of 'encouragement'. Both open the framework up to security issues.
'We' (used to encompass the community of DNN professionals) say one of the great things about DNN is it's flexibility and extensibility we encourage the use of third party modules which affects the security of the install.
In the right hands the options and security implications will be weighed and a decision made. In the less experienced hands the implications won't be known. Prevent the option but let a third party module provide the option abdicates the responsibility.
DNN isn't a simple single function application it's more of an ecosystem and as such there will be areas that are more dangerous than others. Educate rather then prevent. Place dire warning messages on the Host Settings and Module Install pages explaining the possible consequences of changing an option or installing a module.
... OK where is that next cup of coffee!
Antony

Re: Removing the Administrator ability to upload skins

@Anthony
Given the fact that DNN is indeed an ecosystem, and the fact that there are already a large number of modules in our ecosystem that should be labeled "dangerous" (e.g. modules that allow for direct access into the DNN database), it is even more important that its backbone is strong and secure.
Peter

Re: Removing the Administrator ability to upload skins

I am glad this decision has been made and any change that makes the core more secure for the masses is a good change. The good news is that because of DNN extensibility, for sites that rely on admin having the ability to upload skins this is not a big showstopper. As it has been pointed out there will probably be multiple 3rd party application that will be available to allow this functionality, or a site owner might decide to right there own module. To me that says a lot about DNN and just how flexible it is, while at the same time we can make the core as secure as possible when these type of security risk are brought to our attention.

Instead of looking at this as a bad thing, for some it could the the possibility of creating a "killer DNN module". Plus, it will actually give DNN users more options on how this is handled, because they will have multiple 3rd party modules to choose from, and they can choose the ones that best fit there needs.

Re: Removing the Administrator ability to upload skins

I think this is a good move. Skins are too powerful. Perhaps someday skins can be further abstracted to the point that it can become possible to give some (even much) access to css and layout of panes and controls to administrators. But right now skins go too close to the core to give this kind of access to portal admins. There's too much to know to expect admins to be able to make good choices about third-party skins, or to roll their own. But it doesn't have to stay this way forever.

Re: Removing the Administrator ability to upload skins

Wow. I certainly hope a free module is made. It seems a shame to make a change to "force" the DNN community to have to buy something that they have had for free for such a long time. While I agree with both sides of the argument (aweful, I know), I think it would be a wise decision for someone in the core team or the community to write an admin module for this purpose, to be released with DNN 5.0 that can be installed, but is not installed by default.

Re: Removing the Administrator ability to upload skins

What's going to happen if you upgrade an installation where all the skins are admin-uploaded? Are they going to break?

Re: Removing the Administrator ability to upload skins

Ad it isn't possible to have
\Portals\0\Skins|SkinName
I must to install it on the portal directory?
rmartin