Hi all,
I am pretty new to DNN. It looks really good but the following thought worries me a bit.
Have read that, in dnn 
1.) we can create multiple portals all of which point to the same database.
2.) the database user role will have the rights of db_datawriter,db_ddladmin etc...so a user basically has the access to tamper with data of all the tables in that database( even those of other portals).

Does it mean that a single misbehaving module in any one portal has the capability to bring all other unrelated DNN portals down?? How do DNN hosting providers typically provide protection from such a scenario?

Thanks in advance,
Bharadwaaj.

Modules can of course only be installed with the superuser/host account. Individual portal administrators can't do this. I spend the vast majority of my DNN time assessing and testing modules for use in my multiportal system so the risk is my own to deal with. If you follow the forums and DNN scene closely, dubious module security will be the least of your worries.

That said, I also believe that there is a massive hole in DNN security when anyone at all could come into these forums, offer a cool freebie module and within a day possibly hundreds of people would install it. And it could very easily be sending all account details and passwords out to someone with a nasty plan...or it could simply destroy the portals.

It's pretty much like running windows with no firewall, no patches, no anti-virus, no anti-spyware, everything enabled and then going out on the web and installing just about anything you come across and crossing your fingers that everything will be ok.

Now, just sit back and watch some enterprising chap make a module like that.

Rob

---It's pretty much like running windows with no firewall, no patches, no anti-virus, no anti-spyware, everything enabled and then going out on the web and installing just about anything you come across and crossing your fingers that everything will be ok.---

In all fairness, the DNN framework can't really be expected to protect everyone against doing damage to themselves by not practicing "Safe Installing".  The ASP.Net framework and your hosting server does most likely sandbox you into your own environment so that if someone on the same server installs whatever they can get their hands on then you should still be protected.

The same openness that looks like a giant security hole can actually be viewed from the other side as a positive. If anyone were to do something that was damaging as described then you can bet that people would know about it in very short order.

That being said, I do think that people should be warned about giving admins access to upload skins.  This is a place where trust can be delegated too easily with all the same consequences as a bad module, but people don't think of skins the same as modules.

http://www.snapsis.com/DNN-Tips-And-Tricks/tabid/560/forumid/12/postid/5242/view/topic/Warning--Allowing-portal-admins-to-do.aspx

As Sebastian mentioned earlier, it's all about trust and risk. And this is the same if you are installing some cool shareware game on your computer, or if you are installing a module.
As an end user you must balance the Trust you give with the Risk you are taking.