Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Skins, Themes, ...Skins, Themes, ...Continued discussion from Gemini DNN-7134Continued discussion from Gemini DNN-7134
Previous
 
Next
New Post
3/16/2008 5:11 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

One more annotation: Due the fact that FTP in general is not a secure protocol, WebDAV is preferable and AFAIK used by most hosting control panels. On a shared portal,granting FTP access is not advisable, for uploads shall only be possible into the portal directory, which is easily accessible via Admin File Manager in DotNetNuke.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
3/17/2008 3:10 AM
 
abecedarian

Joined: 12/4/2005
Posts: 95

What is the "portal directory"? Would that be the equivalent of ~dnn / portals / ( portal # here ) ? 
Access from the File Manager is NOT the same as FTP or WebDAV access. The File Manager will keep people from accessing the 'skins' and 'containers' folers withing the portal, but that is about all it will do.
Every portal gets something along the lines of "portals/0", "portals/1", etc... ... if there is FTP access to a portal root (portal 0,1,2,3,etc), there will be a folder called 'skins' and another called 'containers' which the FTP user would have write priveledges for, since those folders are sub-folders of the portal. If the user then creates a folder, within the 'skins' or 'containers' folders that includes a malicious script, that content 'could' be used as a skin regardless of host settings for uploads.

So, maybe skins need to be moved from the file-system to the database. That would give DNN absolute control over which users can upload skins, no?
 
New Post
3/17/2008 5:19 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

yes, portal directory is ~dnn / portals /[portalID].

AFAIK both, Skins and Containers folder show up after a recursive sync, though this may change in the future, but the new installer in DNN5 will handle Skin packages as will and provide install and uninstall.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
3/17/2008 7:25 AM
 
Timo Breumelhof


Timo Breumelhof's Avatar

www.40fingers.net
Joined: 2/9/2006
Posts: 4430

@abecedarian

The admin can still upload an aspx with which you have almost free access, so moving the skin does not make a lot of difference.
FTP is the problem here, not DNN IMO
 
New Post
3/17/2008 8:33 AM
 
keeperofstars

Joined: 1/22/2008
Posts: 273

If your allowing ftp then your opening a security issue. Regardless of the type of site its a security issue. The only file access my admin's get is limited folder access to a select non-important folders. All controlled via DNN's file manager. I had way to many issues with people altering my config files or adding non-DNN pages without telling me. Now with DNN 5.0 at some point the admin menu will be broken apart, so you can control who has what access. Might help with the skin security piece, cause you could give portal admins rights to add pages etc, but no access to upload skins. This should make skin security a decision of the Host. Once the Host has control over skin uploads then its even less of a security issue, cause the host can then force admins to contact them for skin upload. Most admins I have tend to be barely smart enough to manage a few pages on their sites, moreless know how to scan a html file for possible malicous code. If and only if I could block the skin upload would I consider it. Yes I know its very insecure right now, but that doesn't mean we should make things even less secure. Now once the new security model is in place I say why not? I would like to see the parser warn the the user when it finds a html with scripts in the skin. There has been a bunch of late nights for me and if I have an admin wanting a skin I might miss the script when scanning through the html. If the parser would outline in red any scripts it found though it would save me time and trouble having to scan every html skin I want to upload. I already have to scan ascx files and its a pain as it is. On a typical week I upload around 20 different skins for my various admins. Right now 99% of them are all html based skins, so its not too bad.
 
 Page 3 of 4
Previous1234Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Skins, Themes, ...Skins, Themes, ...Continued discussion from Gemini DNN-7134Continued discussion from Gemini DNN-7134


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out