|
13-07-2006, 10:21 AM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 11
|
Permission removal for ASP.Net 1.1
I've just read the post under 'current issues' relating to a recent hack on grape and your decision to remove a certain level of scripting access on ASP.Net 1.1.
I have a site affected by this problem and have raised a ticket. However, your suggestion to switch to ASP.Net 2 will not work in my case (and I assume many others'). My site uses Dot Net Nuke v2.1.2 and will not run under ASP.Net 2. This is also the case for early versions of DNN3. Your decision means that the only solution would be to upgrade to DNN3 (latest version) or DNN4, which would also require an upgrade to SQL Server as MS Access is not supported in DNN3 and 4. I know of 4 other customers who use DNN2 on your servers (recommended by myself) who are in the same position. This is unaccepable that you have taken a decision that effectively turns off customers' live websites. There are thousands of DNN2 sites out there, surely they are not all running insecurely. There must be an alternative to your solution. Please advise. |
|
|
|
13-07-2006, 11:01 AM
|
#2 (permalink) |
|
Registered User
Join Date: Jul 2006
Posts: 1
|
Another affected User
Yes, please guys, it would really help if you could come up with a workable way forward using DNN2 for us on this! Plus an indication of whether it was a DNN user who caused the bother in the first place. (Don't like to be tarred with the same brush!). Or how about a *nice-priced* offer for the sql upgrade if we elect to go to DNN3?
|
|
|
|
|
13-07-2006, 11:26 AM
|
#3 (permalink) |
|
Administrator
Join Date: Oct 2003
Posts: 1,484
|
I have seen the ticket regarding this and I am looking into solutions. Please be patient.
It was a DNN site that was the source of the original problem. A hacker managed to abuse a security hole that existed in DNN, which in turn allowed him to abuse a security hole Catalyst2's policy. Due to this we have patched the hole and in the process of performing a security audit on the .net policies. Whilst I realise that the additional security is a pain for people who are trying legitimately use the system. Catalyst2 have made a decision to put security (of both the system/network and other users) 1st. I hope you can understand and appreciate this decision. At the moment all my time is going to fix any site that has been effected by the new security policy. Unfortunately it appears that DNN is not the only package that has problems. Thus things are taking time. Please be assured we are working to solutions as fast as we can. We want your sites down as little as you do. If you are having problems (With any .net security issue, not just DNN) please raise a ticket so I know about every site and I can check every site. Regards Jason Robbins
__________________
Jason Robbins jason@catalyst2.com |
|
|
|
|
13-07-2006, 03:17 PM
|
#4 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 11
|
Paul Redpath gave the following response to my ticket...
Unfortunately there is no way to get dnn v2 to run under .net 1.1 in medium trust, I have spent the past few hours trying a few things with no success, I am afraid you wil have to upgrade to the latest version. My response... Paul, there are thousands of sites running DNN2 - and lots of other companies hosting DNN2. Why has only Catalyst had the problem? Surely with such a large user community, this problem would have come to light before. No other host has reported having a problem to my knowledge. |
|
|
|
|
13-07-2006, 03:42 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 11
|
Paul wrote (in response to my ticket)
It is stated on the DNN forums that it doesnt work with medium trust in v1.1, it does work with some other providers because they provide elevated privilages which caused the issues the other day, we are not able to provide these elevated privilages any more. DNN4 solves these issues and allows it to run in medium trust in .net v2. Once we have completed all our testing we will be asking all DNN users to upgrade to the latest version so as not to cause any problems. I apologise for the inconvenice this has caused you but unfortunately after this weeks events we must ensure there are no holes in our security. My Reponse... That's all very well but in the meantime I (and others) have no web site. This means more expense as DNN3 and 4 needs SQL. |
|
|
|
|
13-07-2006, 06:56 PM
|
#6 (permalink) |
|
Software / Web Developer
Join Date: Jul 2004
Location: Nottinghamshire, England
Posts: 158
 |
Which privilages are actually needed? It is possible to customise the policy level, so it could be basically medium trust, but with a single extra permission raised, depending on the permisson, that could solve the issue without causing any security holes. The DNN sites could then be allowed to run at this level until such time as they upgrade to a version that can run at medium trust.
|
|
|
|
|
13-07-2006, 07:05 PM
|
#7 (permalink) |
|
Bring me your problems :p
Join Date: Jan 2003
Location: /dev/ahhhhhhhhh
Posts: 3,536
|
If anyone can find a document that states how dnn 2 can run under medium trust in .net 1.1 then I will by all means we will work with that, however everything I can find states that DNN 2 does not work under medium trust at all.
If you do want to upgrade and use SQL open a ticket and we can offer an incentive on the SQL DB I am sure 
|
|
|
|
 |
| Thread Tools | |
| Display Modes | Rate This Thread |
|
|
Linear Mode
