4.3 and 3.3 - Upgrade asap - Vulnerability in DotNetNuke could allow access to user profile details
http://dotnetnuke.com/SecurityPolicy/SecurityBulletins/tabid/976/Default.aspx
Published: August 02, 2006
Version: 1.0
Maximum Severity Rating: Critical
Background
For the 3.3.3/4.3.3 releases of DotNetNuke, the membership/roles/provider components were significantly overhauled to allow better granularity of control, and to allow us to make a number of enhancements.
Issue Summary
During the process of rewriting the code to extend the Profile component, an authorization issue was introduced that could allow a user (including anonymous users) to access another users profile.
Due to the seriousness of this issue, further details are not available, users of 3.3.3/4.3.3 are recommended to upgrade to 3.3.4/4.3.4.
Mitigating factors
N/A
Affected DotNetNuke versions
- 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.3.0, 4.3.1, 4.3.2 ,4.3.3
Non-Affected Versions:
- All other versions
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.4/4.3.4 at time of writing)
* * * * * * * * * *
DNN Creative Magazine provides DotNetNuke tutorials, articles, reviews all for the DotNetNuke web designer. An issue is released each month. Stats: 145 Videos & 5 MP3 Interviews
DotNetNuke Skinning Toolkit demonstrates all of the skin classes to help you quickly and easily create DotNetNuke skins.
0 Comments:
Post a Comment
<< Home