Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsFCKeditorFCKeditorDoes FCKeditor have a BadWords.txt file?Does FCKeditor have a BadWords.txt file?
Previous
 
Next
New Post
4/25/2008 10:23 PM
 
barry zett

1usa.com
Joined: 1/5/2005
Posts: 40

Does FCKeditor have a BadWords.Txt file that an admin can add lines to?
When a user hits the Save button... it should check to see if any of the words are listed in the BadWords.Txt file.
If there is currently no way to control content, then websites are at risk.

The comment  made elsewhere "Make sure your portal permissions are configured appopriately so that only trusted users can enter content"
is the ostrich putting her head in the sand, and not a suitable solution for DNN websites, either business or hobby.

Thurs Apr 24, 2008
Dept of Homeland Security, UN, and UK's Dept of Civil Service were hacked, among 173,000 others.
and
 
If you do not receive these Security
 
New Post
4/26/2008 6:47 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

No, FCKEditor does not filter any input, this is subject of the modules. Forums uses a bad words filter to avoid offending words, besides modules are adviced, to filter scripts (there is a core function to be used to do this) and htmlencode any text input from non-admins. Anyhow, this is not connected with the SQL injection, mentioned in the articles you linked to, since all modules shall use vulnarable stored procedures to communicate with the database, and at least DNN core and all core modules do this (and this is verified during security review as part of the release tracking process, every core module has to pass before being published or added to the DNN package).

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
4/26/2008 10:49 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Barry,

Sebastian is right (as usual).  Despite the many, many (many!) public DotNetNuke installations out there, with all the myriad configurations, I am aware of only two that have been hit with the nihaorr1 injection.  Both of these are virtually certainly affected via third-party modules and cross-application contamination.  Of those two pathways of infection, the latter is the overwhelmingly more likely to be the cause.

The real morale of the story here: move your weak legacy ASP.NET applications to DotNetNuke, and you no longer have to worry about this particularly insidious injector!

Sebastian: I know you require all-SPs to pass the release process.  However, I recall seeing the use of the EXEC statement in a couple of these SPs (I believe I logged one of them in Gemini).  As this could be a backdoor avenue of infection, have you considered disallowing this particular statement from SPs that go through the release process?

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
4/26/2008 11:52 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

HI Brandon,

thanks for the applause - but of course, there are a number of posts, where even I had to learn from other experts.

Regarding the release process, all reviews are done by our Security Experts, mainly Cathal, whose Hacker Brain usually detects all common and uncommon scenarios. I am aware, that there are SPs using Exec, but most of them need to do so to cover dynamic data structures not processing parameters they have been called with and AFAIK none of them do get passed user input, which would be the door for SQL injection (if you though have a module, where you fear such a risk, please send the information to security@dotnetnuke.com in order to get it checked by our security team, thank you!)

Have a nice WE!

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
4/26/2008 2:12 PM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Yep -- as my Saturday homework, I just checked, and there are no relevant instances of sp_executeql calls in the core or the common modules that I happen to have installed on my dev machine.  The one instance that I found and logged awhile back (http://support.dotnetnuke.com/issue/ViewIssue.aspx?id=5128&PROJID=22) is not a security issue.  I figured you guys already had a procedure in place for such an eventuality.

And of course I meant sp_executesql in my previous post and not EXEC.

Brandon

Brandon Haynes
BrandonHaynes.org
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsFCKeditorFCKeditorDoes FCKeditor have a BadWords.txt file?Does FCKeditor have a BadWords.txt file?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out