Support forums » Products » Cute Editor for .NET » Re: Dotnetnuke integration file storage security risk?

Re: Dotnetnuke integration file storage security risk?

  •  10-26-2007, 3:33 PM

    Re: Dotnetnuke integration file storage security risk?

    Reply Quote
    We are using DNN 4.4 and 4.6 on different servers now.
    I know these functions since we used DNN 4.1+, i think that is about a year now. You can define those directory's in File manager.
     
    DNN "Secure - file system" folder is a very nice function. When you upload a file to those folders, it adds ".resource" to the end of the filename xxxxxxx.jpg.resource. But this way you will not able to download it by URL anymore. DNN use hyperlink like http://www.dotnetnuke.com/LinkClick.aspx?fileticket=zQLQFicpRnM%3d&tabid=36 to push the file to the client. DNN can also check if the user has permission to download the file. "Secure - database" works similar except the files will save to the database instead of the normal file system.
     
    Since you can put View and/or Write permissions on the folder to different usergroups and single user, this helps administrators to configure the security setting easily. This works amazing well and flexible.
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    But this causes serious security problems in DNN, because when u uploads anything with the Cute editor to DNN. You will see all those secured folders and able to upload any files even u don't have any read/write permission on the folder. Beside, as i mentioned before, all uploaded file by Cute Editor don't have ".resource" extension, thus the files are not safe for any smart users by using full url path access.
     
    This will not help much even you can see them in the Cute Editor, because DNN (actually .Net handler) simply not serve the file to the client. When you makes a hyperlink, it should be translate to something like "...LinkClick.aspx?fileticket=zQLQFicpRnM"
     
     
    Maybe it's interesting for u to know that since DNN 4.5 they change their Html provider partner to FckEditor. Therefore DNN used FreeTextEditor. I think Adam you know FckEditor too, right? Because of the problems i did some research today, i switched back to this default FckHTML DNN provider at our development server. I was really suprised that they already have implemented a good intergration. See the next images:
     
     
     
     
     
    As i can see FckEditor even re-use the standard controls and components to make this works.
    I hope i didn't give you too much details and information Adam.
    We used Cute editor couple years now and we still love it! I hope we can find solution/workarounds to our problems and make a better DNN integration together. Tell me if i can help.
     
    Thank you for all your effort!
     
     
View Complete Thread