Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Module uninstalls and security best practices

During the DotNetNuke Review process, one item that we look for is whether a module can be completely uninstalled using either automated or manual procedures (assuming the manual steps are documented).  Uninstallation will be viewed by some users as a measure of quality.  In addition, failing to properly remove a module poses a potential security risk for many sites.

One key identifier for malware is that it makes it difficult, if not impossible, to uninstall.  Any software which resists attempts at removal presents a problem for users and administrators and is a generally frowned upon practice.  One of the primary goals of the Review Program is to help improve the overall quality of modules available to users (this includes both actual and perceived quality).  We feel that not hampering users ability to remove the module is a key part of meeting this goal.

More important than the quality issue however, is the issue of security.  Imagine if a user were to install your module and decides to remove it.  You subsequently discover a vulnerability in your module and distribute information to your user community on how to patch your module to correct the problem.  What should an administrator do if they have previously uninstalled your module?  What if this administrator is not the one who did the initial installation/uninstallation?  The odds are pretty good, that if an administrator believes that a module has been uninstalled that they will ignore your security bulletin (how many administrators that have your module installed ignore your security bulletins - my bet is that it is a much larger number than you think).  So under certain circumstances, it is possible that not properly uninstalling a module could leave you open to hackers.

So where does that leave us.  I believe that this requires action by both the DotNetNuke team and Module developers.  Currently, DotNetNuke attempts to execute the unistall script and delete the module folders when a module is deleted from the Module Definitions screen.  However, in some cases the uninstall script may fail or the directories are not properly removed.  It is also possible that a module might create additional directories in other parts of the system that is not detected by DotNetNuke.  We need to make the uninstallation more robust to provide information about what steps were taken during uninstallation, and which steps were not completed due to errors in the process.  We also need to provide some APIs that allow the portal to keep track of what changes a module is making to directories.

The solution must also include action by the module developer community.  Module developers should include instructions for completely removing a module.  This should include all files, folders and database objects.  While DotNetNuke will continue to improve in this area, it is unlikely that the framework will ever be more knowledgeable of your module than you, the developer.  You have intimate knowledge of the directories that are created and of the stored procedures and tables that are created or altered.  By providing manual uninstallation procedures you tell your users that you are a responsible developer and increase the perception of quality in your company and your products.

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out