Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsForumForumPosts are trunctaed - XSS problem?Posts are trunctaed - XSS problem?
Previous
 
Next
New Post
4/17/2007 2:15 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

Rodney,

the issue is with the keyword "a l e r t" (minus the spaces - i'll use al3rt as a replacement for the rest of this message so I can explain in more detail)

As I'm sure you know al3rt caused a javascript popup. Whilst this is not inheritantly a security risk, it is commonly used by script kiddies to cause vandalism popups i.e. al3rt('i hacked your site'). In 4.4.1 we added a regular expression to detect and strip these, but I didn't terminate the expression well so it strips all the message after the text al3rt('') or al3rt(""). For 4.5, I changed this so that the text stripping stops at the quote delimiters i.e. " or ' .

One of the issues with the forums was that it was not using the xss filter correctly. The InputFilter expects to scan cleartext, but the forums were htmlencoding the content before passing it to the filter, therefore the xss strings were not being stripped. This was fixed in the 3.20.9 release, and thats why you're seeing this issue.

The problem is that your string href="../../../../../../../../../../../../../HomePoker/PokerAl3ts/tabid/524/Default.aspx">update your preferences</a>"  contains al3rt and " and " . I will amend the regular expression filter to ensure that they're contained with < and > tag's and that should resolve this issue.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
4/17/2007 2:28 PM
 
Rodney Joyce


www.pokerdiy.com
Joined: 4/28/2004
Posts: 2796
Hehe - ok, I see - it was just sods law that every time I tested it I was using the same link (which happened to be the first link!)

Entrepreneur

PokerDIY Tournament Manager - PokerDIY Tournament Manager<
PokerDIY Game Finder - Mobile Apps powered by DNN
PokerDIY - Connecting Poker Players
 
New Post
4/18/2007 12:34 PM
 
Suzanne

Joined: 4/13/2007
Posts: 5

I posted a question last week because the word "a l e r t" appeared to be causing problems with articles I was uploading for a magazine into a repository. I see that the question to the forum couldn't even include the word and I was wondering if it was a problem because "a l e r t", seemed to be a function name. 

"A l e r t" realy was a necessary word to use for the magazine article. It was the name of a feature the writer was describer that his Web site used ...

Are there any other words I need to worry about? And is there a work around for this probem?

 
 
New Post
4/18/2007 1:19 PM
 
y01nk

Joined: 2/3/2006
Posts: 284

SuzanneASNE wrote

Are there any other words I need to worry about?

I am very worried about  the word 'scunthorpe'

*grin*

Seriously though, filtering WORDS in order to filter for SCRIPTS is bound to cause some problems in some instances.

 
 
New Post
4/18/2007 6:01 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

al3rt and javascr1pt: are the only words matched currently (the other regular expressions match tags). I will be amending the al3rt signature to ensure it is only parsed between angle brackets which will fix the issue, except for the rare case such as rodney's where his path contains the text. Long term I plan to break the xss InputFilter out as a provider so that users can add in any search terms they wish, and remove those they don't want.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 3 of 3
Previous123 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsForumForumPosts are trunctaed - XSS problem?Posts are trunctaed - XSS problem?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out