Published: August 02, 2006

Version: 1.0

Maximum Severity Rating: Critical

Background

For the 3.3.3/4.3.3 releases of DotNetNuke, the membership/roles/provider components were significantly overhauled to allow better granularity of control, and to allow us to make a number of enhancements.

Issue Summary

During the process of rewriting the code to extend the Profile component, an authorization issue was introduced that could allow a user (including anonymous users) to access another users profile.
Due to the seriousness of this issue, further details are not available, users of 3.3.3/4.3.3 are recommended to upgrade to 3.3.4/4.3.4.

Mitigating factors

N/A

Affected DotNetNuke versions

• 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.3.0, 4.3.1, 4.3.2 ,4.3.3

Non-Affected Versions:

• All other versions

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.4/4.3.4 at time of writing)

Acknowledgments

DotNetNuke thanks the following for working with us to help protect users:

• Steinar Svendsen

Security Policy

Click here to read more details on the DotNetnuke Security Policy