Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...3rd party developers and data security3rd party developers and data security
Previous
 
Next
New Post
10/4/2009 3:35 AM
 

I really would have thought there'd be some sort of standard on dealing with secure info that developers strictly follow... at least a minimum that's expected.

Just came across the second developer that's storing email passwords clear in the database, no encryption whatsoever.

A couple of weeks ago I found that OnyakTech with its NukeA*lert and Axon modules had email passwords stored like this in the database with no protection whatsoever. I understand this was fixed recently though once it was pointed out to them.

I've now just discovered Catalook is in the same boat... with SMTP passwords for the store settings just stored openly in the table.

Is this sort of thing generally accepted?

I'm not really an experienced programmer or anything but taking a look at these tables I was surprised that I could so easily see passwords for all users and email accounts using any of these modules. Maybe it's normal to do this but if I need a developer to have access to DNN and SQL it most certainly doesn't mean I want them to have open access to all email accounts too!

 
New Post
10/5/2009 3:45 AM
 

David,

I understand, what you are trying to achive, but in this case there is no fault of the module developers - they are following DNN core, which stores SMTP settings unencrypted in host settings (which usually should be used by modules as well instead of providing specific settings, unless there is a valid use case).

Is this a security risk? It depends on your point of view. Encrypting view state would protect against the sysadmin, who has direct access to the database - but only, if he doesnt have access to web.config as well to get the encryption key. According to our security team, in nearly all cases, anyone with db access does have access to web server files as well, which means encryption does not provide extra security, but limits options for tests or manual modifications, if needed. Encryption wouldn't provide extra security against malicious DNN modules either, because they always have access to the unencryted data in business objects, when loaded. 


Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
10/5/2009 5:37 AM
 

Hi Sebastian

All points that do make perfect sense, and much as the guys at Catalook said.

For me it's not so much the malicious side but more to prevent the temptation when placed in front of people so easily... like locking cash in a box in an office as opposed to just floating in drawers - people are usually only bad when the temptation is too easy.

Something I just need to consider and start switching around email accounts and passwords as I don't want these so easy visible.

Cheers

 
New Post
10/7/2009 10:43 AM
 

Hi David,

For what it's worth, this is an issue I'm looking at; I would like to see encrypted and hashed profile properties (and likely by extension host and module settings) with externally-managed keys.  This has increased relevancy with PCI compliance issues.  It's at the top of my list, but I don't expect to get to it until late this year (if not later).

Brandon


Brandon Haynes
BrandonHaynes.org
 
New Post
10/7/2009 12:20 PM
 

Brandon, great news. IN addition, since many modules may save sensitive data as well (custom SMTP credentials, paypal merchant accounts), moduleSettings and tabmoduleSettings should be included as well.


Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...3rd party developers and data security3rd party developers and data security


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out