Published: Jan 19, 2011
Version: 1.0
Maximum Severity Rating: Critical Background
As DotNetNuke modules contain code which is ran on the server, to both install and uninstall modules is a host (superuser) only operation. Issue Summary
A poor design pattern in the validation code meant that it was possible for potential hackers to access both the install and uninstall functions via a user who did not have host permissions. Once accessed these functions allowed for the uninstalling of modules, or installation of modules. Whilst the modules would then fail to install fully due to user file permissions, it was possible to access the failed installation and hence run code. Mitigating factors
Sites that have the viewstate encrypted are protected against accessing failed user uploads.
Affected DotNetNuke versions
Non-Affected Versions:
Fix(s) for issue
To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.6.1 at time of writing)
Acknowledgments
Daniël Niggebrugge
Security Policy
Click here to read more details on the DotNetnuke Security Policy