Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Any One Can hack host account rolesAny One Can hack host account roles
Previous
 
Next
New Post
10/21/2008 8:44 AM
 
boyzs

Joined: 2/11/2008
Posts: 20

Hello Friends,

   I am developing a small ERP System in DNN but I had got some question after seeing this.. that any one can get host account role by having small knowledge of SQL. In user table if any one update IsSuperUser=true then particular user will get the all the rights which was given to host..

Thats it....

so any one can help me to avoid this thing??

 

Thank You

Regards

Boyzs
 
New Post
10/21/2008 9:20 AM
 
Baatezu


Joined: 8/2/2005
Posts: 553

The best way to prevent this is not give users a way to run SQL statements. If your site is for more advanced users who can run SQL select statements to generate thier own reports, then create a seperate account for the SQL server that has 'view only' access, so they can't run UPDATE/DELETE/INSERT commands. I'm not a SQL Server expert so I don't know how restrictive a user can be made (such as table level access, ect).

If your users have the ability to directly modify your database, your site's security is compromised.
 
New Post
10/21/2008 9:29 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Boyzs,

The key to application security is in preventing unauthorized users from making such a change.  The DotNetNuke framework already does an excellent job of this.  You can do your part by ensuring that your server is appropriately locked down and that your database is properly permissive.

I suggest reading over the guidelines located here to get started.

Hope this helps!

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
10/21/2008 11:01 AM
 
boyzs

Joined: 2/11/2008
Posts: 20

Thanks Bardon

 

    For helping me regards this. Well I am running this application for Local Intranet ERP System and DNN is best in the open source. DNN should work for this point in Version 5.0 or any other Version of DNN securing DNN SuperUsers.

 

Regards

Boyzs
 
New Post
10/21/2008 11:49 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

Boyzs,

what is your idea? Storing the host assignment in roles would require to simple add an entry in userroles table - which does not make a difference. I am not aware of a technique, how to prevent security frauds by anyone, who has full access to your database. If an enemy inside your castle, there is no use of building the walls higher...

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
 Page 1 of 1
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Any One Can hack host account rolesAny One Can hack host account roles


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out