Dotnetnuke integration file storage security risk?

Last post 11-20-2007, 10:35 AM by Global-e. 8 replies.
Sort Posts: Previous Next
  •  10-26-2007, 7:32 AM 34636

    Dotnetnuke integration file storage security risk?

    Hallo Adam,
     
    We are using CuteEditor as Html editor in Dotnetnuke for a while.
    For the first time we have a large project which file storage security is a very important issue.
    Thus our customer use "Secure - file system and Secure - database" directory's for their files to avoid any un-authorized users to download those files by full URL path, also "Read/Write" access to the directory's. This works very well, Dotnetnuke changes the file extention to *.resource when u choose to use "Secure - file system" and of course file as BLOB when u choose to use "Secure - database". So their files are secured for the internet users and/or different departments in the organization.
     
    But now we have some serious problems with the Cute editor:
    1. When you uploads any files with the Cute editor, it always ignores the DNN "Write" permission on the directory.
    2. When you uploads files to "Secure - file system", it ignores it totally. Of course editor sets file prefix (like members_xxxxxx.doc, adam_xxxxxx.doc) to avoid different users to see the files. But those smart users (actually anyone) can still download those files, this is such risky for our customer.    
    3. In the Cute editor you will never see any secured files because of the .resource extention (let's keep it simple not even mention the files in DNN database storge). That means u will never be able to make any hyperlink to any documents/files.

    Can u give us some advises and idea's about these issues? Or the DNN integration not supports any secure file storage at all? Users should not upload any files with cute editor or we should develop some workarounds?

    Thanks in advance.

     

     
  •  10-26-2007, 10:59 AM 34644 in reply to 34636

    Re: Dotnetnuke integration file storage security risk?

    >>"Secure - file system and Secure - database"
     
    Is this a new feature of DNN? Which version of DNN are you using?
     
    >>When you uploads any files with the Cute editor, it always ignores the DNN "Write" permission on the directory.

    Can you explain this ignore part in more details?
     
    >>In the Cute editor you will never see any secured files because of the .resource extention
     
     
     

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  10-26-2007, 3:33 PM 34655 in reply to 34644

    Re: Dotnetnuke integration file storage security risk?

    We are using DNN 4.4 and 4.6 on different servers now.
    I know these functions since we used DNN 4.1+, i think that is about a year now. You can define those directory's in File manager.
     
    DNN "Secure - file system" folder is a very nice function. When you upload a file to those folders, it adds ".resource" to the end of the filename xxxxxxx.jpg.resource. But this way you will not able to download it by URL anymore. DNN use hyperlink like http://www.dotnetnuke.com/LinkClick.aspx?fileticket=zQLQFicpRnM%3d&tabid=36 to push the file to the client. DNN can also check if the user has permission to download the file. "Secure - database" works similar except the files will save to the database instead of the normal file system.
     
    Since you can put View and/or Write permissions on the folder to different usergroups and single user, this helps administrators to configure the security setting easily. This works amazing well and flexible.
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    But this causes serious security problems in DNN, because when u uploads anything with the Cute editor to DNN. You will see all those secured folders and able to upload any files even u don't have any read/write permission on the folder. Beside, as i mentioned before, all uploaded file by Cute Editor don't have ".resource" extension, thus the files are not safe for any smart users by using full url path access.
     
    This will not help much even you can see them in the Cute Editor, because DNN (actually .Net handler) simply not serve the file to the client. When you makes a hyperlink, it should be translate to something like "...LinkClick.aspx?fileticket=zQLQFicpRnM"
     
     
    Maybe it's interesting for u to know that since DNN 4.5 they change their Html provider partner to FckEditor. Therefore DNN used FreeTextEditor. I think Adam you know FckEditor too, right? Because of the problems i did some research today, i switched back to this default FckHTML DNN provider at our development server. I was really suprised that they already have implemented a good intergration. See the next images:
     
     
     
     
     
    As i can see FckEditor even re-use the standard controls and components to make this works.
    I hope i didn't give you too much details and information Adam.
    We used Cute editor couple years now and we still love it! I hope we can find solution/workarounds to our problems and make a better DNN integration together. Tell me if i can help.
     
    Thank you for all your effort!
     
     
  •  10-30-2007, 2:29 PM 34719 in reply to 34644

    Re: Dotnetnuke integration file storage security risk?

    Any progress on these DNN integration issues? Do you need more information about DNN?
  •  11-05-2007, 5:44 AM 34815 in reply to 34644

    Re: Dotnetnuke integration file storage security risk?

    Best Adam,
     
    Can you give me a reply on these security leak issues?
    Even if your team not decide to fix these security problems in the DNN integration, so we can see if we have to develop custom dialogs for insert images, links and files etc.
     
    Thanks for the effort.
  •  11-08-2007, 6:04 AM 34902 in reply to 34644

    Re: Dotnetnuke integration file storage security risk?

    Can I have a reply on my question please?
    Our project development team is still waiting....
  •  11-12-2007, 12:34 PM 34998 in reply to 34644

    Re: Dotnetnuke integration file storage security risk?

    Adam,
     
    Since you don't (or want to) give reply on these security issues with DNN integration, i assume your team don't "have time" to check out these security problems. So we will try to find an other solution.
    Just be fair to inform new users at your DNN integration website that there are still some serious security problems, so people knows the pro's and con's before they choose to replace the standard DNN html editor.   
    I will post these problems at the Dotnetnuke forum, maybe the DNN core members or other DNN users can help us with these issues.
     
  •  11-16-2007, 2:39 PM 35167 in reply to 34719

    Re: Dotnetnuke integration file storage security risk?

    There is no file storage security risk. Even you use this system of DNN, the experienced developers can still download your images.
     
    If you really like this file storage system, just create your own dialog and call the dnn internal code.

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  11-20-2007, 10:35 AM 35240 in reply to 35167

    Re: Dotnetnuke integration file storage security risk?

    Adam:
    There is no file storage security risk. Even you use this system of DNN, the experienced developers can still download your images.
     
    If you really like this file storage system, just create your own dialog and call the dnn internal code.
     
    First thank you for the response!
     
    Sorry Adam, there are really some file storage security issues with the Cute editor DNN integration. Some other DNN users have already mentioned those issues too. We have run multiple tests to check out all possible scenario's. I really wonder how even the experienced developers can download image files with the file extension ".resource"?? Even when u knows the exact url of the images, you still will get access denied error. I though .Net framework protects .dll, .resx, .resource, .vb, .cs files etc. for downloading.
     
    No hard feeling man, we do like your editor. On 1 of our live server we have 1 DNN installation with more than 70 portals and Cute editor works great. But Cute Editor DNN integration really needs some improvements/fixes:
    • improvement: each DNN portal should have a separate configuration file since 1 DNN installation can have unlimited numbers of portals. Mostly each portal has it's own requirement. 
    • security fix: Users shouldn't see the secured DNN folders and files in any Cute Editor dialogs if they don't have Read access right.
    • security fix: Users shouldn't able to upload file to a secured DNN folder if they don't have Write access to a folder.
    • security fix: When user upload files (no matter what kind of files) to a secured DNN folder, it should rename it's extension to ".resource". So no 1 can download the files directly. 
    • security fix: When user create a link to a file in secured DNN folder, Cute Editor should then create a special hyperlink as i mentioned.
    By the way, our R&D team have started to develop our own dialogs to fix these issues last week. They are close to finish the last details now. So we can replace the dialogs end of this week. Please re-check the issues i mentioned when you have more time, maybe you can improve the DNN integration in the future releases.
    Thank you for your time. 
      
     
View as RSS news feed in XML