Posted By sypa on 31 Jul 2020 08:19 AM
Posted By Tycho de Waard (SU) on 31 Jul 2020 07:49 AM
I think you can use the DAM (digital asset manager) that is shipped by default. It has a permissions tab which enables you to grat permissions to certain roles.
If you have to grant permissions - then roles i'm not sure this will work for us because we want the public to upload files (like application forms) without logging in.
We don't want users logging in to upload. Our site got hacked a few weeks ago (on version 7.4.2 DNN) and we no longer want end users to be able to login to our CMS (for security reasons). We think hackers might have found a way in via registereing as a user, so that's why we don't want users to register for anything on our site.
we are now on DNN 9.6.1
If you grant persmission to the role 'unauthenticated users', people won't have to login.
Having said that, I can not oversee the possible security issues. In the security settings, you can limit the extensions that are allowed.
The option Mark mentioned, might be a safer one as ActionForm has another option to limit the extensions which applies to just tha 1 form instead of the entire websites.
Now, for the security: upgrade. You really need to upgrade. If you are on 7, there are no quick fixes. It is not just a few mitigations in the webconfig and you'll be ok for another year. It can be a tough one but take a week for the following:
- create a clone
- remove unused third party modules
- upgrade modules and themes to the latest (check recommendations of the respective vendors)
- if a latest version is more than 2 years old, check if it is compatible with 9.3.2 (in that case, it will probably work in 9.6.2 as well)
- create a back up if this situation
- upgrade to 804
- Fix stuff if needed
- If you have DNN Sharp modules, install NewtonPatch
- Upgrade to 9.3.2
- Test (9.2 deprecated a lot )
- Upgrade to 9.6.2