Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How safe is dotnetnuke?How safe is dotnetnuke?
Previous
 
Next
New Post
12/20/2007 11:05 AM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

The key is really in the point that Sebastian made before.

As the site owner it is your responsibility to test the modules to ensure that they meet your needs, and that they don't have an impact on any other systems.  With the nature of DNN it would be VERY hard for the DNN core to "restrict" access to the database tables and other items.  Are there items that might require a bit more consideration, yes, but overall if you take just an ounce of prevention you will be just fine.

As for the ability for a developer to cause issues with a simple module, yes, this is fully possible, but this again is a key reason why you want to go with some form of "trusted" module developer.  Now, the key question really becomes who do you consider trusted.  I would assume that many people find commercial products trustable, and I hope that people find modules by myself and other active participants in the community as trustable, but that is something that as a module developer you have to take into consideration.  You have to set some standard on how you do your business.

One thing I look at is support options.  All modules that are available on my site are free modules, yet I provide free support for ANY issues that come up.  I have forums for each individual product and I activly respond to any and ALL questions.  I would be leery of installing a module from a developer that has NO support method, even more so if they don't have a contact e-mail address or soemthing.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
12/20/2007 5:56 PM
 
ROB AX

Joined: 9/3/2004
Posts: 2185

Bharadwaaj wrote

 ROBAX wrote
That said, I also believe that there is a massive hole in DNN security when anyone at all could come into these forums, offer a cool freebie module and within a day possibly hundreds of people would install it. And it could very easily be sending all account details and passwords out to someone with a nasty plan...or it could simply destroy the portals.

Shocking!!!....to say the least... Whats the use of having such an elaborate framework without minimum security considerations?? I definitely have second thoughts now about hosting my site now using DNN...

I most definitely meant to shock.. but not to put anyone off (well I did mean to put people off who simply can't manage the tasks involved). Every application framework is pretty much the same... hence the comparison with Windows. You'll also face the same issue with every framework you download off the internet... the risk is all yours. The main difference with Windows itself is that the end user experience includes a well-communicated awareness of threats. The end-user experience here in the DNN scene does not.

People are simply expected to be aware and be smart, yet a lot of people who wander in here might have a lot more trust than they have the technical ability to assess the risks.

All it really needs is appropriate communication in the right place. There seemed to be enough motivation to squeeze an entire module purchasing process into the framework... how about someone in the core also put a notice in there about the potential risks, and a link to a document with some mitigation tactics. It's not hard... but I also know that there's no box in DNN Corp for that task. (I never tire of sniping at DNN Corp's comms ;))

So, don't be put off... just know that it's not as simple as running around installing anything you find... same as you wouldn't do that on your own PC.

You have to create the security considerations, and that's just part of the challenge.

Rob
 
New Post
12/21/2007 11:55 AM
 

Joined: 1/1/0001
Posts: 0

This is an issue we have dealt with over and over agian.  Someone has a site with many portals and they install a bad module and It brings down the entire install.  It really comes down to a business model that allows you to make money off your product but also mitigate the risk of downtime and lost data.  It's not always an error that causes the problems, sometimes a portal grows (in popularity or functionality) to the extant that it needs to be it's own install;  ripping a portal from an install is not a friendly undertaking to say the least.  When you have, say, 20 portals in one installation, you have created a single point of failure for potentially 20 different clients.  This just can't be seen as best practices for a company focused on the DNN platform.  Portals are a very handy tool that gives DotNetNuke a lot of power and functionality, but it is up to the implementor to use best practices and prudence when managing a multi-portal installation.  We have noticed that multi-portal functionality has been misused by many people in the community so Tony Valenti and I actually addressed this in an interview with DNNCreative Magazine and In a white paper on our web site.  By the way, it's not all bad, we did hit on some of the good ways to use portals as well.

DotNetNuke for Vertical Solutions Providers

DNN Creative Podcast Interview
 
New Post
12/26/2007 9:19 AM
 
Jeff Cochran


Joined: 6/3/2005
Posts: 2799

Bharadwaaj wrote

 ROBAX wrote

 

 


That said, I also believe that there is a massive hole in DNN security when anyone at all could come into these forums, offer a cool freebie module and within a day possibly hundreds of people would install it. And it could very easily be sending all account details and passwords out to someone with a nasty plan...or it could simply destroy the portals.

 

Shocking!!!....to say the least... Whats the use of having such an elaborate framework without minimum security considerations?? I definitely have second thoughts now about hosting my site now using DNN...

Even more shocking -- People can use a computer to connect to the internet and CHOOSE to install a new program loaded with a virus or a trojan!  They can even choose to leave their sleeping laptops at airports, logged into thier company's network.  Or to give out passwords for network access to anyone who calls on the phone!   Or leave the keys in the ignition, with then engine on and the doors unlocked, while they run into the store!  You better have definite second thoughts about owning anything, with the shocking ability to leave physical property unsecured!  Probablky shouldn't go outside, or talk to anyone, you might be convinced to give money away!!!

If you are unable or unwilling to take responsibility for securing and protecting your installations, portals and sites, please do not choose DNN.  Nobody needs a news story linking DNN to an idiot administrator getting his sites breached.

Jeff
 
New Post
12/28/2007 10:49 PM
 
Jerry Andersen


Joined: 12/16/2005
Posts: 218

Jeff Cochran wrote

 Bharadwaaj wrote

 

 ROBAX wrote

 

 


That said, I also believe that there is a massive hole in DNN security when anyone at all could come into these forums, offer a cool freebie module and within a day possibly hundreds of people would install it. And it could very easily be sending all account details and passwords out to someone with a nasty plan...or it could simply destroy the portals.

 

Shocking!!!....to say the least... Whats the use of having such an elaborate framework without minimum security considerations?? I definitely have second thoughts now about hosting my site now using DNN...

 

Even more shocking -- People can use a computer to connect to the internet and CHOOSE to install a new program loaded with a virus or a trojan!  They can even choose to leave their sleeping laptops at airports, logged into thier company's network.  Or to give out passwords for network access to anyone who calls on the phone!   Or leave the keys in the ignition, with then engine on and the doors unlocked, while they run into the store!  You better have definite second thoughts about owning anything, with the shocking ability to leave physical property unsecured!  Probablky shouldn't go outside, or talk to anyone, you might be convinced to give money away!!!

If you are unable or unwilling to take responsibility for securing and protecting your installations, portals and sites, please do not choose DNN.  Nobody needs a news story linking DNN to an idiot administrator getting his sites breached.

Jeff

Thank you for posting...you match my sentiments exactly.  I was wary on hitting the 'enter' key has that's linked to one of my 'macros' for ebay...which is linked to my paypal which is linked to my bank account, but I thought what the heck :)

Jerry
 
 Page 2 of 2
Previous12 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How safe is dotnetnuke?How safe is dotnetnuke?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out