Cathal Connolly

Security bulletins released–5.6.7/6.1.3

Thu, 02 Feb 2012 16:12:59 GMT

The 5.6.7 and 6.1.3 CE and PE/EE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 6.1.3/5.6.7 Released .

The 5.6.7 release only contains these one security fix (as per our Sunsetted releases policy which can be read here ), which is rated “critical”.

The bulletin for 5.6.7 can be read here:

Non-approved users can access user and role functions – fix for a “Critical” issue

The 6.1.3 release contain two security fixes, one of which was in 5.x and one which was introduced in the 6.x branch.

The bulletins for 6.1.3 can be read here:

Non-approved users can access user and role functions – fix for a “Critical” issue
Radeditor provider function could confirm the existence of a file – fix for a “low” issue

Please note, we had an additional report of another issue shortly after the 6.1.2 release, however that had already been resolved inadvertently by an unrelated bug fix. As such this issue was resolved with the 6.1.0 release (it involved code introduced in the 6.x branch and does not impact 5.x). Whilst no code was changed in the 6.1.3 release we have chosen to publish a bulletin anyway to make users aware of it and to allow us to acknowledge the security researchers who raised the issue.

Potential XSS issue via modal popups

As both 5.6.7 and 6.1.3 contain a “Critical” fix we recommend you upgrade as soon as possible.

If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent blog entry from Erik here . For users who are running 4.6.2 or above, I recommend you read this blog entry which details how to use the upgrade package to easily merge any web.config changes. The wiki also has a guide on upgrading and the video section has a number of free videos on both installing and upgrading.

You can read more details about these issues and our security policy here

Acknowledgements

We would like to thank Brandon Haynes, Ben Zhong, Richard Lundeen of Microsoft and Microsoft Vulnerability Research (MSVR) and Mark Litchfield from NGSSecure for responsibly disclosing the issues to us and allowing us to ensure updated releases were available that resolved them.

More ...

Category: Security

ASP.NET Security Update

Fri, 30 Dec 2011 20:10:47 GMT

On Thursday 29th December 2011 Microsoft released an out-of-band security update to address an issue with asp.net . This is a relatively rare thing as Microsoft typically only releases security updates every 2nd Tuesday of the month (known as “Patch Tuesday”) so it indicates that this is a serious issue that Microsoft does not want to leave available for exploitation for another few weeks. The advisory can be read here and there is additional detail on Scott Guthrie's blog here . Due to the nature of this patch we would recommend DotNetNuke hosts and users consider applying the patch as soon as possible (it was made available via Windows Update last night). Whilst the asp.net patch itself does not appear to require a reboot, the other security patches contained with the release do prompt for a reboot so you may wish to apply the patch at a time that does not inconvenience your users.

More ...

Category: Security

Security bulletins released–5.6.6/6.1.2

Fri, 23 Dec 2011 19:24:04 GMT

The 5.6.6 and 6.1.2 CE and PE versions of DotNetNuke have been released. The 6.1.2 release notes can be read @ DotNetNuke 6.1.2 Released . It contains two security fixes that resolve two “low” items.

The 5.6.6 release only contains these two security fixes (as per our Sunsetted releases policy which can be read here ).

The bulletins for the two items fixed in both releases can be read at:

Please note, these two fixes resolve issues on the lowest part of our scale – they are more theoretical than practical (the first would require someone to have physical access to the users machine and the second would require a site to have insufficient permissions to run), but the best practice would be to upgrade as soon as possible.

You can read more details about these issues and our security policy here

More ...

Category: Security

Security bulletins released – 5.6.4 / 6.1.0

Wed, 02 Nov 2011 23:47:19 GMT

The 5.6.4 and 6.1.0 CE and PE versions of DotNetNuke have been released. The 6.1.0 release notes can be read @ DotNetNuke 6.1.0 Released . It contains two security fixes that resolve one “low” and one “medium” issues.

The 5.6.4 release only contains security fixes (as per our Sunsetted releases policy which can be read here ). The 5.6.4 release also contains 1 outstanding “low” security fix that was resolved in 6.0.2 and has now been back ported to 5.6.4.

The bulletins for the two items fixed in both releases can be read at:

The issue back ported from 6.0.2 to 5.6.4

Incorrect logic in module administration check

Due to the nature of these issues, we recommend you upgrade as soon as possible – however please read the warning paragraph below first as the XSS fix has compromised some functionality that sites may use.

Pre-upgrade warning

To fix one of the issue (the failure to sanitize certain XSS strings), we added additional filtering code that executes when a user saves html content. Whilst the html editor automatically strips JavaScript, some users have used the raw/html views to add script and avoid the automatic deletion of it. Whilst this is a useful (but unintended) feature, unfortunately as there is no reliable way to tell the difference between a “safe” piece of JavaScript and malicious piece of JavaScript (e.g. a cross-site scripting issue) the additional filter will remove all scripts that users entered. If your site uses html modules to add such content (and does not use an alternative such as http://wnsinj.codeplex.com/ ) then you may wish to wait for the 5.6.5/6.1.1 releases to apply this update otherwise when you edit existing html content you will lost your JavaScript.

If you choose to do so, you are recommended to remove the Messaging module from the user profile page to mitigate against the issue.

Acknowledgements

We would like to thank Brian Dukes, USAID and Richard Lundeen of Microsoft & Microsoft Vulnerability Research (MSVR) for their help in identifying these issues.

You can read more details about these issues and our security policy here

More ...

Category: Security

DotNetNuke Extension Catalog

Sun, 17 Jul 2011 15:15:00 GMT

Whilst the out-of-the-box experience with DotNetNuke is pretty good, we all know that it’s with extensions such as skins and modules that the power of the platform comes into play. The ecosystem has created thousands of them and they can be integrated effortlessly like Lego blocks that snap together to build virtually any shape without the need to construct and maintain your own blocks. Whilst experienced DotNetNuke users know the common places to find new extensions such as SnowCovered , the Extension forge and the Announcements forum , for new users it can be a mystery to find new extensions, and for existing users it can be a pain having to search in multiple locations.

A new addition in DotNetNuke 6 is the Extension Catalog, which is designed to be an easy way to discover, download and install new extensions to your site. The Extension Catalog integrates data from the DotNetNuke forge and SnowCovered into one centralised catalog, and adds rich searching (by tag, extension type, vendor and text search across extension name and description) and ordering capabilities (by Name and price -particularly handy for looking for free extensions) . To access the Extension Catalog, Host users just need to go to Host->Extensions and click on the “more extensions tab”. This will display a screen similar to below allowing for users to easily locate the extensions they need, displaying them in a list (with infinite scroll so as you move towards the bottom of the list the Extension Catalog will seamlessly pull in any more records and display them).

As well as locating new extensions, the Extension Catalog has an “instant-on” experience built in. If an extension comes from the Forge, a deploy link will be shown that can be clicked to download and install the extension, all without having to go out to codeplex.com to locate it and no more need to download and then upload the zip file as the Extension Catalog handles all of that for you. If it’s a SnowCovered.com extension then a buy link is displayed which redirects the user to the appropriate snowcovered.com page and add’s the extension automatically to the basket. Once the extension is purchased, you can then go back to the Host extensions screen and click on the “purchased extensions” screen (after you’ve supplied your SnowCovered login credentials) and generate a list of orders you have access to.

At this point it’s possible to download the extension and if the SnowCovered vendor has indicated that it’s deployable (e.g. does not require any additional steps such as extracting zip files from within a zip) then a deploy link appears allowing for friction-free installation.

At the minute there’s only a few hundred extensions listed, but we expect this number to scale up rapidly as forge projects/SnowCovered vendors update their records to make sure they appear on the Extension Catalog. Chris Paterra wrote a blog explaining the additional steps that Forge project owners need to do to get their project listed, and the SnowCovered vendors have all received a mail with the details of what updates they need to make to their products to have them appear. We’re expecting the Extension Catalog to become the de facto place that users search for new extensions so I’m sure you’ll be seeing lots of new extensions getting listed soon.

For anyone who’s interested in seeing it in action, Joe Brinkman created a handy video .

Note: downloading and installation extensions in the traditional way still works as you’d expect, the Extension Catalog is designed to simplify and improve the experience.

More ...

Category: Extension Forge

Category: Marketplace

Security bulletins released

Thu, 07 Jul 2011 01:03:58 GMT

The 5.6.3 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.3 Released . This release contains a fix for two "low" two “medium” and one “critical” security issues.

The bulletins can be read at

We’ve also revised an existing fix as the correct solution was only partially implemented.

Change localized text to stop user enumeration

Due to the critical nature of these issues, we recommend you upgrade as soon as possible. If you're new to upgrading I recommend you read the "detailed installation guide" found here , and the excellent blog entry from Erik here . For users who are running 4.6.2 or above, I recommend you read this blog entry which details how to use the upgrade package to easily merge any web.config changes. The wiki also has a guide on upgrading and the video section has a number of free videos on both installing and upgrading.

Event validation

One additional thing to be aware of is that we’ve set the new default for EnableEventValidation to be true. Event validation is a useful protection that Microsoft added in asp.net 2.0 to protect against injection attacks via altered POST values. Unfortunately it was added very late in the cycle (between RC and RTM) and was effectively a breaking change for sites that used components that did not correctly register that they could invoke postbacks with asp.net. At the time of release, DotNetNuke had a handful of items that did not work correctly with EnableEventValidation set to True (and additional one or two common Ajax frameworks also did not work as expected), so we had to set it to false. Over the past while we’ve made changes to allow DotNetNuke to work correctly, and we took the chance in the 6.0 release cycle to enable it and do thorough testing to catch any invalid calls. This work was back ported to 5.6.3, and the decision was made to update the web.config EnableEventValidation value to True as part of the upgrade to allow all sites to avail of this valuable security protection.

If you have a site that has a component that does not work with EventValidation, you will see an exception similar to this:

Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

If you see this error you can resolve it by setting EnableEventValidation to false in the web.config. However this is not ideal, as your site will not be availing of the useful functionality. As such we recommend you resolve the issue by reporting the problem to your vendor or by updating your own code – in each case additional code that uses RegisterForEventValidation will need to be added.

Acknowledgements

There are a lot of security fixes in this release, and we would like to thank Andrew Hallmark, Robb Bryn, Simon Meraner, community member “MH”, Laurence Neville for their help in identifying these issues (there were additional reporters of the same issues – but these were first respondents)

You can read more details about these issues and our security policy here

More ...

Category: Security

Security bulletins released

Thu, 20 Jan 2011 21:49:19 GMT

The 5.6.1 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.1 Released . This release contains a fix for two "critical" and five “low” security issues.

The bulletins can be read at

Edit Level Users have Admin rights to modules
Unauthenticated user can install/uninstall modules – Please note, as part of this fix we’ve hardened the code for uploading modules to validate for superusers. In previous versions the installer could theoretically be used by module developers to allow for the installation of extensions/plugins. However as this opened up an ability for non-superusers to install code we’ve had to remove it (existing uploads are fine, this relates to the module installer)
Failure to filter viewstate exception details can lead to reflective xss issue
Remove OS identification code
Add additional checks to core input filter
Change localized text to stop user enumeration
Ensure that profile properties are correctly filtered

Due to the critical nature of two of these issues, we recommend you upgrade as soon as possible.

One additional thing to be aware of is that we’ve set the new default for viewstate to use encryption (asp.net’s default is auto, we’re not forcing it). This is a security best practice, though it does have a small performance impact. We did extensive testing with large viewstates and noted only a small drop in page rendering speed (typically 2-3%). This meant it was fine to set as the new default for new installs, but it wasn’t something we would change for upgrades (in general we have a policy of avoiding trying to make application wide changes on upgrades unless absolutely necessary). We may look to do some work on viewstate in a future version and consider changing this default for upgrades also, but for now I would recommend that existing sites consider making this change (aside from being a best practice, it stops one of the steps necessary to exploit the installing modules critical issue). To do this, sites need to edit the pages node in their web.config and add viewStateEncryptionMode="Always" i.e.

Why so many fixes?

This release has had more security fixes that any previous release, which by some measures is disappointing. However I’d prefer to focus on the fact that these changes have come about because of the hard work on many individuals, including the security team, core team members and community members. In addition two of them came from security researchers, one of whom was hired by a Professional edition customer to perform security audits on the core. This is something we’re seeing more and more, that as DotNetNuke moves up the enterprise stack companies have larger budgets and use a portion of their budget for security auditing. This can only be a good thing for the long term security of the project.

On that note we’d like to thank Brandon Haynes, Scott Willhite, Roger Selwyn, Chris Wood, Rolando from procheckup & Daniël Niggebrugge of Fox-IT BV for their contributions to improving the security of the platform.

You can read more details about these issues and our security policy here

More ...

Category: Security

Wiki update

Tue, 11 Jan 2011 22:34:25 GMT

The DotNetNuke wiki’s up to nearly 200 entries already, with a wide selection of content of interest to many different types of people. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it).

Whilst in the early days we concentrated on documenting lots of technical details such as providers, architecture, development and classes, the wiki also contains lots of content for users of all levels. One of the categories (tag’s) we use is “tips” and this category now has lots of useful information.

To give an idea of the broad range of tips available already, here’s a few examples:

Get involved!

Any logged in user can add and edit wiki pages - Contributors are invited to share content under general guidelines of the Creative Commons Attribution-NonCommercial-ShareAlike license. This is a great way to add useful knowledge that benefits the whole community, and a great way to get noticed, particularly for any community members hoping to get more involved in community teams (or eventually the core team).

You don’t have to be a documentation whizz to edit the wiki, every little bit helps – fixing a typo, altering formatting or adding an appropriate link to an existing page are all welcome.

More ...

Category: Reference

Category: Development

Wiki update

Thu, 25 Nov 2010 23:13:49 GMT

The DotNetNuke wiki continues to grow with more new pages added every week. If you haven’t had a chance to look at it yet, please visit http://wiki.dotnetnuke.com/ (and while you’re there consider adding to it).

We’ve already added lots of much needed documentation, but last week we also posted a note in the forums asking for topics people would like pages drawn up on. We’ll be working on those community suggestions over the next few weeks (feel free to add your own in the blog comments below), but one of the areas we’ve started to tackle was a request for some “Best practices” documentation. It’s still early days for these pages, but there’s already some good information there, so I thought I’d provide some links to them (feel free to add your own best practice notes , we welcome all contributions and they go towards your Community recognition scores).

Get involved!

You don’t have to be a documentation whizz to edit the wiki, every little bit helps – fixing a typo, altering formatting or adding an appropriate link to an existing page are all welcome.

More ...

Category: Community

Category: Reference

Category: Development

Category: Security

Security bulletin released

Thu, 25 Nov 2010 23:05:14 GMT

The 5.6.0 CE and PE versions of DotNetNuke have been released. The release notes can be read @ DotNetNuke 5.6.0 Released . This release contains a fix for one "low" security issue.

The bulletin can be read at

Exception details may leak if logging provider is unavailable (DNN 2010-13-L)

As always we recommend you upgrade as soon as possible.

You can read more details about these issues and our security policy here

More ...

Category: Security