Dotnetnuke integration file storage security risk?

  •  10-26-2007, 7:32 AM

    Dotnetnuke integration file storage security risk?

    Hallo Adam,
     
    We are using CuteEditor as Html editor in Dotnetnuke for a while.
    For the first time we have a large project which file storage security is a very important issue.
    Thus our customer use "Secure - file system and Secure - database" directory's for their files to avoid any un-authorized users to download those files by full URL path, also "Read/Write" access to the directory's. This works very well, Dotnetnuke changes the file extention to *.resource when u choose to use "Secure - file system" and of course file as BLOB when u choose to use "Secure - database". So their files are secured for the internet users and/or different departments in the organization.
     
    But now we have some serious problems with the Cute editor:
    1. When you uploads any files with the Cute editor, it always ignores the DNN "Write" permission on the directory.
    2. When you uploads files to "Secure - file system", it ignores it totally. Of course editor sets file prefix (like members_xxxxxx.doc, adam_xxxxxx.doc) to avoid different users to see the files. But those smart users (actually anyone) can still download those files, this is such risky for our customer.    
    3. In the Cute editor you will never see any secured files because of the .resource extention (let's keep it simple not even mention the files in DNN database storge). That means u will never be able to make any hyperlink to any documents/files.

    Can u give us some advises and idea's about these issues? Or the DNN integration not supports any secure file storage at all? Users should not upload any files with cute editor or we should develop some workarounds?

    Thanks in advance.

     

     
View Complete Thread