Security Bug - Categories - DNN Modules, DotnetNuke Modules - DNN Events Module, DNN Calendar, DNN Article - InvenManager Solutions DotnetNuke Modules - Support - Event Calendar & Registration

You are here: >

Invenmanager User Forum

Unanswered Active Topics

Forums Search

Security Bug - Categories

Last Post 05 Feb 2010 02:57 AM by Lance Prager. 0 Replies.

Sort:

	Prev Next
You are not authorized to post a reply.

Author

Messages

Lance Prager

New Member
Posts:86

05 Feb 2010 02:57 AM
There are two bugs with categories that are a breech of security in the system. Here is how to reproduce the problem: - Create a category named PRIVATE that is for Administrators only. - Create an event for only the category PRIVATE. Next: - Install a Satellite Module with the following View Options: - Show all events for the period specified - Display category drop down list PROBLEM 1: The PRIVATE category will display in the drop down list. Even though the satellite module will not display the event, showing the names of the protected categories is a security violation. I know there is a workaround for this (which is to select the categories to display); however, the workaround does not apply when there are multiple levels of categories assigned to different roles, or when new categories are added. Next: - Install a Flash Module PROBLEM 2: The flash module will display the event for the PRIVATE category. It completely ignores the role based security. Problem 1 was identified months ago and needs to be fixed. It is of the highest priority in order for the satellite module to be secure. Problem 2 makes the Flash module useless in a system which has any private events. Your speedy attention to these important security issues would be appreciated. Thank You

You are not authorized to post a reply.

Active Forums 4.1

Home | Purchase | Download | FAQs | Contact Us