CJones:
I was recently bitten by a stupid code injection/defacement similar to yours, but it only affected the Guestbook module page, which is one of the few places where any user can leave a message, or clever JS code. This was in DNN 4.9.2. With DNN 4.9.3 this issue is resolved, not only they documented it, but I tested it and now the user entered text is better sanitized/encoded so that when it comes back from the DB to the browser it is not capable of executing. I would recommend you consider upgrading to 4.9.3 if possible and your modules are compatible. Remember to make a full backup the DNN directory and the DB before upgrading and to do testing on a staging server/PC before doing the production site.
Regarding the string search in the DB, some time ago I found the code for a stored procedure that will search all text fields in your database for a given string. The cool thing about this is that once you create the SP, you can use it forever by calling it with the string as an input parameter. The SP code is provided below, notice I left the credit text intact since I did not write it. I did make some adjustments so that it works properly with SQL 2008. Below is the code, once the SP is created you can do something like EXEC SearchAllTables '212cafe' and it will return the table name and field name where the text is found.
Hope this helps.
Carlos
USE [YOUR DNN DATABASE NAME HERE]
GO
/****** Object: StoredProcedure [dbo].[SearchAllTables] Script Date: 02/02/2009 14:20:41 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE PROC [dbo].[SearchAllTables]
(
@SearchStr nvarchar(100)
)
AS
BEGIN
-- Copyright © 2002 Narayana Vyas Kondreddi. All rights reserved.
-- Purpose: To search all columns of all tables for a given search string
-- Written by: Narayana Vyas Kondreddi
-- Site: http://vyaskn.tripod.com
-- Tested on: SQL Server 7.0 and SQL Server 2000
-- Date modified: 28th July 2002 22:50 GMT
CREATE TABLE #Results (ColumnName nvarchar(370), ColumnValue nvarchar(3630))
SET NOCOUNT ON
DECLARE @TableName nvarchar(256), @ColumnName nvarchar(128), @SearchStr2 nvarchar(110)
SET @TableName = ''
SET @SearchStr2 = QUOTENAME('%' + @SearchStr + '%','''')
WHILE @TableName IS NOT NULL
BEGIN
SET @ColumnName = ''
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM INformATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND OBJECTPROPERTY(
OBJECT_ID(
QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)
), 'IsMSShipped'
) = 0
)
WHILE (@TableName IS NOT NULL) AND (@ColumnName IS NOT NULL)
BEGIN
SET @ColumnName =
(
SELECT MIN(QUOTENAME(COLUMN_NAME))
FROM INformATION_SCHEMA.COLUMNS
WHERE TABLE_SCHEMA = PARSENAME(@TableName, 2)
AND TABLE_NAME = PARSENAME(@TableName, 1)
AND DATA_TYPE IN ('char', 'varchar', 'nchar', 'nvarchar', 'text', 'ntext') --Added , 'text', 'ntext'
AND QUOTENAME(COLUMN_NAME) > @ColumnName
)
IF @ColumnName IS NOT NULL
BEGIN
INSERT INTO #Results
EXEC
--CRR, CAST to avoid error "Left func not allowed in NText.
(
'SELECT ''' + @TableName + '.' + @ColumnName + ''', ' + 'CAST(' + @ColumnName + ' AS Varchar(3630))' + '
FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + @ColumnName + ' LIKE ' + @SearchStr2
)
PRINT 'SELECT ''' + @TableName + '.' + @ColumnName + ''', LEFT((CAST(' + @ColumnName + 'AS VARCHAR)), 3630)'
END
END
END
SELECT ColumnName, ColumnValue FROM #Results ORDER BY ColumnName
END