DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.
Prev
Next

Penetration Test Finding.

Forums > Administration and Configuration
Sort:
You are not authorized to post a reply.





Jacqui

New Around Here



Posts:4
New Around Here




2/13/2020 1:14 AM

    The latest Penetration test has flagged that the user profiles are easily predictable as when viewing our own profile it is at 

    http://mysite.com/activit...eed/UserId/[User Id]

    They are worried that because they are numerical and sequential you can randomly user a different user-id than your own and view that user's profile etc.

    Is there a setting that implements using none sequential numbers or guid ?






    Michael Tobisch

    Veteran Member



    Posts:1124
    Veteran Member




    2/13/2020 2:34 AM

      Jacqui,

      There was indeed a problem with this, but it has been solved a while ago.

      Everything I found was two entries in the Security Center (2019-05 and 2017-05). So the best solution would be to upgrade to a recent version (9.4.4), if possible.

      Issue 2017-05 has been fixed for version 7.1.2 and higher by a patch provided. See here for more information. This has been finally fixed in DNN 09.00.02.

      Changing the way the UserId is seeded or using a GUID is not a recommended way, that goes deeply into the core of the system.

      Happy DNNing!
      Michael

      Michael Tobisch
      DNN★MVP

      dnnWerk Austria
      DNN Connect





      Jacqui

      New Around Here



      Posts:4
      New Around Here




      2/13/2020 3:00 AM
        Thanks.
        We are on 9.2 so will try and upgrade to 9.4.
        Let you know how it goes adn thanks again :)





        Jacqui

        New Around Here



        Posts:4
        New Around Here




        2/14/2020 12:07 AM
          Have to install .net 4.7 first.
          Can you tell me how upgrading sorts out the issue or exactly what it is that upgrading changes so I can report back on my Penetration Test Issue report please ?
          You are not authorized to post a reply.

          These Forums are dedicated to the discussion of DNN Platform.

          For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

          1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
          2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
          3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
          4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
          5. No Flaming or Trolling.
          6. No Profanity, Racism, or Prejudice.
          7. Site Moderators have the final word on approving / removing a thread or post or comment.
          8. English language posting only, please.

          Would you like to help us?

          Awesome! Simply post in the forums using the link below and we'll get you started.

          Get Involved