DNN Hosting Register Login
 
Latest Discussions Minimize
UMG 5.2.2 by facuseh01
Hello,I have two questions:1. Does UMG 5.2.2 work with Presentation Pack 3.1? 2....
Comments by userID by daviking
Thank you for a great product! I am really enjoying working with the new UMG5 ga...
users add albums by OKCChopper
I want my users to be able to add there own albums but not delete others.. can t...
UVG Videos to play in Smart Phones by Ibbs
HiIs it possible for UVG videos to be played on Smart phones. e.g black berry or...
Copy to another page by OKCChopper
I want to copy the module to another page and also have access to the same album...
How to add a link to view all videos? by anthonyar
Sorry this is a newbie question...i want to add a link to the menu to VIEW ALL t...
Personal vs Profile mode by coolvibe
I carefully read the description for both modes. but, I'm not exactly sure which...
Permission Check Failed by tbredweb
I am getting the message: The binary pack is not installed, or ASPNET/Network_Se...
Furniture Showroom major crash by myearwood
Hi PengstenI sent you an email via service@bizmodules.net. It concerns the furni...
Top photos windows size restriction by OKCChopper
I have it so that i can restrict the size of the photos. However since some arn...
Our Partnership Minimize
If you are looking for good DNN hosting, then PowerDNN is the best DNN host around!
Support Forum Minimize
Forums > Other Products > Personal Gallery
Subject: Security
Prev Next
You are not authorized to post a reply.

Author Messages
Andre Teixeira
Posts:10
Silver Member
07/28/2006 4:08 AM  
I received this post in our forums related to Personal Gallery.  I installed the trial version to see how it works for us.  It has worked pretty well so far but people seem to like it more when they have control of their page completely to add modules and stuff.  My concern was always security related to this.  I am not a hacker though and since my tests showed that is seemed pretty safe I did allow users to have edit rights to their page.

One user posted this...
----
PS, an easy post script made from PHP can be added into the personal site and if the server is adjusted so, a person can upload this script into the personal site, use a form to upload a file or just rewrite a current file using the form. By putting the location as something like "../../../../../../../index.html", you could remove the mainpage. Or "../../../controls/SolpartMenu/spmenu.js" remove the top menu and replace the code with.. lets say "document.write("H4X0R3D")".


Obviously just an illustration of the possibilities. But if iwas compelled i could have done so.


Also, not sure yet, but this site might also be vulnerable to SSI
----

Should I be concerned about this at all?  I know the individual just completely made his page blank (even losing the edit header on top).  But having access to the Edit of this page does it allow a hacker an opportunity to mess up the entire site?

thanks for your response.  cause if there is a risk, maybe I will go back to just allowing access to certain modules I insert in the page and no edit rights to their own page.
Pengtsen R
Posts:5179
07/28/2006 10:55 AM  
I think it is more likely to be a DNN related security issue, once you enable your visitors to upload files, you are in this risk(if it is a risk).

However, I think you can grant page ownership to the creators without giving them the permission to upload files.  just config folder permissions in your File Managers to allow authorized users to upload files only. do you think it will be safe in this situation?

Thanks.
Pengtsen R
http://www.bizmodules.net
Andre Teixeira
Posts:10
Silver Member
07/28/2006 12:06 PM  
I think it is safe but I just dont know.  Currently the user who was playing with it and posted that comment does not have access to upload files to the site.  Lets see if he can come up with a way to do more damage.  If I find something I will post here.
Pengtsen R
Posts:5179
07/28/2006 1:23 PM  
Ok, good.
Pengtsen R
http://www.bizmodules.net
Andre Teixeira
Posts:10
Silver Member
08/02/2006 9:17 AM  
http://www.davebuckner.com/Default.aspx?tabid=56

I think I found what I was looking for to compliment the Personal Gallery.

What concerned me about the Personal Gallery was the ability of users to add any module.  When you are customizing a site and use modules to change logins, registration, etc.. and also have pages which are more secure then the role creating a new Personal Gallery page, you dont get secure about certain modules being able to be used in Personal Gallery.  I like the ability of allowing individuals to create their own page and use any modules, but we must use some caution.

The link above is for TRTControlPanel which allows us to set permissions of modules by role.

I am testing it now.  Will post here once it is all working well.  But looks good so far.  I recommend it if you are going to allow full access to the page.  Cause I restricted all the more damaging modules.  :)
Andre Teixeira
Posts:10
Silver Member
08/02/2006 1:24 PM  

Pengtsen,

I have tested it and the TRTControlPanel-1.5.0.0.zip should be a MUST download for anyone getting Personal Gallery with the intent of allowing users "full" access to their own page.

With TRTControl I set Registered users to only be able to use certain modules.  Even though Personal Gallery creates a new role like PG_username, the Registered role (which applies to everyone) then limits them to only the generic modules which dont pose a security risk or dont mess up your other pages.

So please use the link above to download this module.  I am using DNN 4.02 and it is working great.

I would recommend the following functionality improvements for Personal Gallery:

1.  When the Personal Gallery is set to Allow Tab Ownership, the EDIT field on permissions for the page should auto check the PG_username who created it.  Many users are leaving this on ALL Users and everyone is able to edit their page.
2.  You should incorporate the TRT tool into Personal Gallery so we could limit the modules then can put on their page.  I also prevented them from Adding, Deleting, and Copying pages.  Just left them with Settings and Preview on Page Functions.
3.  Somehow set a limit per page of new pages.  Currently, the menu item where the Personal Gallery is gets super full with new pages.  So I have to manually move them.  It would be nice to set a limit of pages or a way to auto create a sub structure so the menu list does not go too long.

Thanks for the module.  Since I am done with testing.  I am buying the product now.

The trial was really worth it.  Not allowing me to test it may have kept me from buying this module.  But now I am a customer.

thank you.

 
Andre Teixeira
Posts:10
Silver Member
08/02/2006 1:25 PM  
sorry for the bold.  I did not notice that and cant edit the post. :(
Pengtsen R
Posts:5179
08/04/2006 4:54 PM  
It doesn't matter, I removed the bold by copying it to notepad and then paste it again.

And thanks for your suggestions, thay have be recorded and I'll consider them in the future.

Thanks.
Pengtsen R
http://www.bizmodules.net
You are not authorized to post a reply.
Forums > Other Products > Personal Gallery > Security
Enterprise level DotNetNuke Solutions Copyright © 2005-2008 BizModules   |  Contact Us  |  Terms Of Use  |  Privacy Statement