New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...SQL Injection Attack or, the big ironySQL Injection Attack or, the big irony
Previous
 
Next
New Post
3/29/2011 1:31 PM
 
No it did not happen to DNN, but you must find the irony kind of funny, see this link.

Another reminder that your data entry controls must always wear protection (or sanitize the entered data)...

 
New Post
3/30/2011 3:50 AM
 
:)

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
4/3/2011 9:09 AM
 
Are there more DNN users saying this SQL injection attack didn't affect DNN sites, at least the 5.x + version?
 
New Post
4/3/2011 9:51 AM
 
So far it seems that DNN itself does not have an open access vector of the style used in the recent SQL injection attacks.  

Though there is not a lot of really strong information on the exact nature of the injection methods currently being utilized, but for the most part it would appear to be related to older versions of MS SQL and poorly written asp web applications based on out dated web methodologies.

One of the big issues with the internet, is that very few web sites are willing to keep stumping up money to ensure their sites are kept up to date.  There are millions of older asp based web sites out there for example, running on web servers that are over 10 years old.  Yes they may have been patched and kept up to date with service packs - BUT in many cases the actual methods used on these sites to accept data has itself not always been updated. 

One of the most common and effective way of mitigating SQL injection attacks is to ensure that all SQL queries in an application use parameterized access calls and  to ensure that any input fields are filtered for invalid sql escape type codes.
DNN falls into the first category by default given its use of a database provider model that does not allow direct access to the SQL calls themselves.
But having said this - this does not actually mean that ALL 3rd party modules would be safe - they could possibly become compromised if badly written. 

Westa
 
New Post
4/5/2011 9:54 AM
 
We have no recent reports of any DotNetNuke sites being subject to this issue (which is not surprising as by default we use stored procedures exclusively and are typically not vulneable to sql injection). Whilst it's possible a 3rd party module may introduce a sql injection vector, to date we don't have reports of any outstanding modules with this problem.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...SQL Injection Attack or, the big ironySQL Injection Attack or, the big irony


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.