DNN Hosting Register Login
 
Latest Discussions Minimize
embedded video screenshot by pppiet
Hello,Is it possible to show a screen-/snapshot at the start in an embedded vide...
Running on Windows XP by HBenton
I've moved this post here from a prior post that I was posting in. You can find ...
Amazon S3 by Ibbs
Hi,Amazon s3 seems not be working normally. Ever since i upgraded DNN to the lat...
Install Problem... UMG5 by ivaned_8
my problem is...: StartJob Start Sql execution: 01.00.00.SqlDataProvider...
No Help file and no Conversions by ChrisSmith
I am having some setup issues and I am hoping for some help to get going with UV...
BizModules.UltraVideoGallery. UploadProgress,BizModules. UltraVideoGallery.ashx by greenflash
AssemblyVersion: 04.09.00PortalID: -1PortalName: UserID: -1UserName: ActiveTabID...
Source Code by yeyioasis
Hello, me again. This time I need support for UMG.I have the source code (UMG 5....
UMG Headline Mode by golfkritter76
Is there any way to stop a slideshow from looping when in headline mode?
user to choose album display mode by marbab
Hi,I just wana know that is it possible with UMG that user can either select the...
Uploading / Encoding by mike5906
I'd like for my users to be able to upload a video, and let it be encoded in the...
Our Partnership Minimize
If you are looking for good DNN hosting, then PowerDNN is the best DNN host around!
Support Forum Minimize
Forums > Other Products > Personal Gallery
Subject: Security
Prev Next
You are not authorized to post a reply.

Author Messages
Andre Teixeira
Posts:10
Silver Member
07/28/2006 4:08 AM  
I received this post in our forums related to Personal Gallery.  I installed the trial version to see how it works for us.  It has worked pretty well so far but people seem to like it more when they have control of their page completely to add modules and stuff.  My concern was always security related to this.  I am not a hacker though and since my tests showed that is seemed pretty safe I did allow users to have edit rights to their page.

One user posted this...
----
PS, an easy post script made from PHP can be added into the personal site and if the server is adjusted so, a person can upload this script into the personal site, use a form to upload a file or just rewrite a current file using the form. By putting the location as something like "../../../../../../../index.html", you could remove the mainpage. Or "../../../controls/SolpartMenu/spmenu.js" remove the top menu and replace the code with.. lets say "document.write("H4X0R3D")".


Obviously just an illustration of the possibilities. But if iwas compelled i could have done so.


Also, not sure yet, but this site might also be vulnerable to SSI
----

Should I be concerned about this at all?  I know the individual just completely made his page blank (even losing the edit header on top).  But having access to the Edit of this page does it allow a hacker an opportunity to mess up the entire site?

thanks for your response.  cause if there is a risk, maybe I will go back to just allowing access to certain modules I insert in the page and no edit rights to their own page.
Pengtsen R
Posts:4862
Site Administrator
07/28/2006 10:55 AM  
I think it is more likely to be a DNN related security issue, once you enable your visitors to upload files, you are in this risk(if it is a risk).

However, I think you can grant page ownership to the creators without giving them the permission to upload files.  just config folder permissions in your File Managers to allow authorized users to upload files only. do you think it will be safe in this situation?

Thanks.
Pengtsen R
http://www.bizmodules.net
Andre Teixeira
Posts:10
Silver Member
07/28/2006 12:06 PM  
I think it is safe but I just dont know.  Currently the user who was playing with it and posted that comment does not have access to upload files to the site.  Lets see if he can come up with a way to do more damage.  If I find something I will post here.
Pengtsen R
Posts:4862
Site Administrator
07/28/2006 1:23 PM  
Ok, good.
Pengtsen R
http://www.bizmodules.net
Andre Teixeira
Posts:10
Silver Member
08/02/2006 9:17 AM  
http://www.davebuckner.com/Default.aspx?tabid=56

I think I found what I was looking for to compliment the Personal Gallery.

What concerned me about the Personal Gallery was the ability of users to add any module.  When you are customizing a site and use modules to change logins, registration, etc.. and also have pages which are more secure then the role creating a new Personal Gallery page, you dont get secure about certain modules being able to be used in Personal Gallery.  I like the ability of allowing individuals to create their own page and use any modules, but we must use some caution.

The link above is for TRTControlPanel which allows us to set permissions of modules by role.

I am testing it now.  Will post here once it is all working well.  But looks good so far.  I recommend it if you are going to allow full access to the page.  Cause I restricted all the more damaging modules.  :)
Andre Teixeira
Posts:10
Silver Member
08/02/2006 1:24 PM  

Pengtsen,

I have tested it and the TRTControlPanel-1.5.0.0.zip should be a MUST download for anyone getting Personal Gallery with the intent of allowing users "full" access to their own page.

With TRTControl I set Registered users to only be able to use certain modules.  Even though Personal Gallery creates a new role like PG_username, the Registered role (which applies to everyone) then limits them to only the generic modules which dont pose a security risk or dont mess up your other pages.

So please use the link above to download this module.  I am using DNN 4.02 and it is working great.

I would recommend the following functionality improvements for Personal Gallery:

1.  When the Personal Gallery is set to Allow Tab Ownership, the EDIT field on permissions for the page should auto check the PG_username who created it.  Many users are leaving this on ALL Users and everyone is able to edit their page.
2.  You should incorporate the TRT tool into Personal Gallery so we could limit the modules then can put on their page.  I also prevented them from Adding, Deleting, and Copying pages.  Just left them with Settings and Preview on Page Functions.
3.  Somehow set a limit per page of new pages.  Currently, the menu item where the Personal Gallery is gets super full with new pages.  So I have to manually move them.  It would be nice to set a limit of pages or a way to auto create a sub structure so the menu list does not go too long.

Thanks for the module.  Since I am done with testing.  I am buying the product now.

The trial was really worth it.  Not allowing me to test it may have kept me from buying this module.  But now I am a customer.

thank you.

 
Andre Teixeira
Posts:10
Silver Member
08/02/2006 1:25 PM  
sorry for the bold.  I did not notice that and cant edit the post. :(
Pengtsen R
Posts:4862
Site Administrator
08/04/2006 4:54 PM  
It doesn't matter, I removed the bold by copying it to notepad and then paste it again.

And thanks for your suggestions, thay have be recorded and I'll consider them in the future.

Thanks.
Pengtsen R
http://www.bizmodules.net
You are not authorized to post a reply.
Forums > Other Products > Personal Gallery > Security
Enterprise level DotNetNuke Solutions Copyright © 2005-2008 BizModules   |  Contact Us  |  Terms Of Use  |  Privacy Statement