This is a migrated thread and some comments may be shown as answers.

Possible Security Risk?

1 Answer 26 Views
Editor
This is a migrated thread and some comments may be shown as answers.
Joshua
Top achievements
Rank 1
Joshua asked on 17 Sep 2010, 08:30 PM
The text editor in DNN may exploit a security risk.

If the editor is placed on a page, say for a registered user updating their profile's bio, the Image Manager, Document Manager, etc. gives the user access to the portal root, where they can delete, upload, rename images, docs, etc. along with looking at the directory structure.  They could easily, through the Doc Manager, add a link in their bio to a restricted document and, once the bio is saved, click on the link to download the file.

The managers need to be disabled or localized to the logged in user's directory (/Portals/PortalId/Users/UserId/UserId).

Thanks,
Joshua

1 Answer, 1 is accepted

Sort by
0
Dobromir
Telerik team
answered on 23 Sep 2010, 07:39 AM
Hi Joshua,

Please, note that version 5.4 of DNN uses the Professional provider of RadEditor, which is implementation of the DNN developers and it is not supported by Telerik.

Our suggestion is to post your question in the DNN forums at http://www.dotnetnuke.com/tabid/795/default.aspx and ask the support of DNN for help. This article could be also helpful : Taming (customizing) The new Telerik RadEditor.

Kind regards,
Dobromir
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
Tags
Editor
Asked by
Joshua
Top achievements
Rank 1
Answers by
Dobromir
Telerik team
Share this question
or