The latest Penetration test has flagged that the user profiles are easily predictable as when viewing our own profile it is at
http://mysite.com/activit...eed/UserId/[User Id]
They are worried that because they are numerical and sequential you can randomly user a different user-id than your own and view that user's profile etc.
Is there a setting that implements using none sequential numbers or guid ?
Jacqui,
There was indeed a problem with this, but it has been solved a while ago.
Everything I found was two entries in the Security Center (2019-05 and 2017-05). So the best solution would be to upgrade to a recent version (9.4.4), if possible.
Issue 2017-05 has been fixed for version 7.1.2 and higher by a patch provided. See here for more information. This has been finally fixed in DNN 09.00.02.
Changing the way the UserId is seeded or using a GUID is not a recommended way, that goes deeply into the core of the system.
Happy DNNing! Michael
Michael TobischDNN★MVP
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.