DotNetNuke tutorials, tips and tricks

Friday, August 04, 2006

4.3 and 3.3 - Upgrade asap - Vulnerability in DotNetNuke could allow access to user profile details

I found this info on the DotNetNuke site, it recommends that you upgrade to the latest point release for 3.3 and 4.3 as a severe security issue has been found - details below

http://dotnetnuke.com/SecurityPolicy/SecurityBulletins/tabid/976/Default.aspx

Published: August 02, 2006

Version: 1.0

Maximum Severity Rating: Critical

Background

For the 3.3.3/4.3.3 releases of DotNetNuke, the membership/roles/provider components were significantly overhauled to allow better granularity of control, and to allow us to make a number of enhancements.

Issue Summary

During the process of rewriting the code to extend the Profile component, an authorization issue was introduced that could allow a user (including anonymous users) to access another users profile.
Due to the seriousness of this issue, further details are not available, users of 3.3.3/4.3.3 are recommended to upgrade to 3.3.4/4.3.4.

Mitigating factors

N/A

Affected DotNetNuke versions

  • 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.3.0, 4.3.1, 4.3.2 ,4.3.3

Non-Affected Versions:

  • All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.4/4.3.4 at time of writing)


* * * * * * * * * *
DNN Creative Magazine provides DotNetNuke tutorials, articles, reviews all for the DotNetNuke web designer. An issue is released each month. Stats: 145 Videos & 5 MP3 Interviews

DotNetNuke Skinning Toolkit demonstrates all of the skin classes to help you quickly and easily create DotNetNuke skins.

0 Comments:

Post a Comment

<< Home