Great Ideas. Always Flowing.

We are not happy until you are happy. Client satisfaction guaranteed. Whatever your needs and requirements, we have the skills and resources for the job!

Quick login...

Or... now make it easy with Facebook Integration
Connect via Facebook

Top Sellers

Dynamic Registration 4.0

Frustrated over the lack of customization for your user's registration fields? Dynamically setup your DNN Portal with custom registration fields, layout, questions, and other core integration options......

Ultra Video Gallery 4

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to upload videos in various format and automatically encode them to flv or H264 format, you also can add videos from internet or record live videos from your webcam.

XMod Pro 2.7 - Forms and Views for Databases

Build high performance, completely customizable data-entry forms and views driven by your DNN and external databases. New built-in tools make it a snap to quickly create data entry forms, data views, and even database tables. Plus, add your own HTML, CSS, Javascript, SQL commands, stored procedures,

Smith Shopping Cart v3.88

The most advanced DotNetNuke shopping cart on the planet. Easy to use e-Commerce, Secure Shopping Cart Software and SEO friendly. B2C / B2B Ecommerce Sites.

Event Calendar and Registration 4.0

One stop solution for events calendar and events registration! FREE DOWNLOAD is available now!

DNN Modules

Forums > Product Discussion - DotNetNuke Modules > Interactive User Import
OMG someone hacked my website and got all the user credentials!
Last Post 12-08-2011 05:34 AM by Robb Bryn. 2 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages Not Resolved
Robb BrynUser is Offline
going with the flow
going with the flow
Posts:74
Avatar

--
12-07-2011 12:15 PM

    "Someone just hacked my website... they have all the usernames and passwords for the entire website... I'm so screwed!"

    OK, now that I have your attention... why oh why does the export function of this module drop a plain text file into the portal root with potentially exposed usersnames/passwords in plain text?

    I just hit a clients site to find that all the files they ever exported are in the portal root... of course they never deleted the file after they "clicked here" to download it. 

    Of course... no one could guess the file name right - they would never find it to download it? Well,,, there is this editor see... and they have to be able to upload files and such... they can see it...and download it... and get the admin user/password (as well as thier evil co-workers user/pass).

    Can we *pretty please* get a module setting that at least lets us direct WHERE the export file goes.. maybe we can at least exert some security on that folder. It would be even better if we could just email the file (zipped of course sent in S/MIME) and it never leaves a trace on the server itself. 

    Holding my breath on this one trying to prevent a disaster

    Chad NashUser is Offline
    Posts:5260
    Avatar

    --
    12-07-2011 05:59 PM
    Hi Robb,

    Thank you for the post and info... Generally if there ever is a security concern we usually request that its directed directly to us instead of making a big announcement about it... but... In this case yes, the files are uniquely named with a filename that is (Generally speaking) considered to be secured enough of a name that nobody could ever replicate/duplicate that name.

    Now... I can understand your concern though, and we will review adding this to future versions or patches. Possibly an optional feature to choose either the map path or choose the sub folder under the main root path.

    Thanks,

    Chad
    Robb BrynUser is Offline
    going with the flow
    going with the flow
    Posts:74
    Avatar

    --
    12-08-2011 05:34 AM

    Normally I'de agree with you.  But this isn't a real case where the product is insecure...It's not the product that is insecure, it's the usage that insecure.  It also needs to be public knowledge as a warning to all those folks that have and use the product to clean up the files that it deposits...and think before exporting the passwords.

    I'm just as shocked as the fortune 500 company that I found this on, that the developer that put this module in, didn't train the user using it to be a little more careful.


    As DataSprings, you just need to give the users of this module a more foolproof way to protect themselves.  You give us the hammer to pound the nail, but we need a little guard over our thumbs so we don't hit ourselves and do permanent damage.

     


     
    You are not authorized to post a reply.

    Forums > Product Discussion - DotNetNuke Modules > Interactive User Import
     
     

    Join our mailing list...

    Get current news and events the easy way
     
     
       
    Subscribe Me

    Recent Blogs...

     
    Copyright 2005 - 2011 by Data Springs, Inc.
     
  • film izle
  • 720 izle
  • film
  • sinema izle
  • film makinesi
  • T�rk�e dublaj film
  • film izle
  • film izle
  • baglan film izle
  • sinema izle
  • 1080 film izle
  • film mercegi