Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationDotNetNuke Security VulnerabilityDotNetNuke Security Vulnerability
Previous
 
Next
New Post
3/9/2008 12:25 PM
 
tabletennis

www.TableTennisNetwork.com
Joined: 12/18/2006
Posts: 12

I have seen a security vulnerability. Here is the case.

The site has two portals. You can register the same name that exists in the first portal in the second portal without any error. Now login to the second portal with the new registered name, go to the profile page, and you can access the complete profile of the same user who exists in the first portal.

 

 
 
New Post
3/9/2008 2:51 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

***moderator reply***

Hello tabletennis,

normally i would have deleted this post and contacted you via email and asked you to send any suspected security vulnerabilities to the security@dotnetnuke.com email alias, as we discourage public talk about suspected issues (it only causes panic and gives potential hackers an opportunity to exploit real issues before we can arrange an update).

However, in this case this is not a vulnerability. For a number of years now (since the 2.0 release as far as I remember), DotNetNuke has supported the capability of having the same user in multiple portals. As long as the portals are all under the same host (i.e. either a child or parent portal) , if you create a user with the exact same username/password combination we allow the existing user to be used as the new member of the portal i.e. there is only 1 user record, and that userID is used in the two portals. This is purely a convenience, as all other elements are still seperated i.e. my permissions/roles on one portal do not apply to the other. This is behaviour by design and is often used so is unlikely to ever be changed.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
3/9/2008 11:03 PM
 
tabletennis

www.TableTennisNetwork.com
Joined: 12/18/2006
Posts: 12

I would agree with whatever Cathal said above.

I tried to duplicate the above case with the same user but a different password. In that case, I'm able to register as a new user. As Cathal said, if the user uses the same user name and password that have been used on the first portal to register on the second portal also, then the user is considered as the one exists on the first portal.

I think the above design is good. However, it is an overkill for asking the user in the first portal to register in the second portal also to use both the portals. It should work reverse also - means someone registers on portal two should be able to login to portal one also.

 

 

 

 

 
 
New Post
3/10/2008 12:49 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

Not really tabletennis. That would require that when a user registers for one portal their registration automatically goes to all of the other portals on that install as I see it having to work (there's no way DNN can be sure when a user registered on portal A visits portal B). A couple of my portals have completely different content and target audience. It doesn't make sense that a user that registers on one of my sites to get my DNN modules/AD betas etc. automatically gets registered on a racing sim portal that they have no interest in or are even aware of and vice versa. I'm sure the 3000 users on the sim portal would scream bloody murder if they recieved an email about a DNN module or newsletter about something on the DNN site (That's just an example as I don't send them out nor does the admin of the sim site) especially as the URLs have nothing in common.
 
New Post
3/10/2008 9:38 AM
 
tabletennis

www.TableTennisNetwork.com
Joined: 12/18/2006
Posts: 12

Ok. I agree. There are portals out there under the same site having different target audience. In that case, that design is good.

In my case, I have the same audience for both the portals. My first portal is a table tennis community site (http://www.TableTennisNetwork.com), and the second portal a table tennis store (http://www.TableTennisStore.us).

 

 

 
 
 Page 1 of 1
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationDotNetNuke Security VulnerabilityDotNetNuke Security Vulnerability


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out