Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is hacking easy with DNN ???Is hacking easy with DNN ???
Previous
 
Next
New Post
2/5/2007 7:54 AM
 
Declic Video


Joined: 11/25/2006
Posts: 1069

Hello,

I am sure that this subject will passionnate many people... Yesterday, there was an hacking attempt into various forums, take a look to public announcement :
1/ Apollo forum - hacking attempts.
2/ DotNetNuke forum FR - hacking attempts

Few days ago, there was also a question regarding HTML code injection...
Now, I am wondering if DNN modules using HTML editor like FCKEditor are safe or not...

Could experts comfort me or tell us the way to protect our website please ???

DV FX
 
New Post
2/5/2007 8:30 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

FYI: we are investigating the various reports of forum related issues, and once validated will determine the best way to fix them.

As for html code injection, it does not matter whether you provide users with a simple text box, or a more functional html editor, the possibility exists that html/script injection can occur. To counter this, the usual technique is to filter/encode content as it's being stored, so that the content cannot cause issues. To do this we have a core function InputFilter that provides a number of different mechanisms. You can read more about it, and other module security issues in the 'secure module development' document @ http://www.dotnetnuke.com/tabid/940/Default.aspx

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
2/5/2007 8:47 AM
 
mike qu

Joined: 1/26/2004
Posts: 19

To my understanding the InputFilter core function is a tool for DNN module developers to secure their applications against various injections. However, what's the point of this function when DNN's own official modules (such as forums,blogs,text/html or almost any other rich-text enabled module) are vunlerable to such attacks? Anyone with some basic HTML/javascript skills can do severe damage to these pages by simply entering malicious HTML/javascript codes.

 IMO this "filter" function should be a core option in the admin's control panel. It should allow filtering of any unwanted HTML codes/script tags.
 
New Post
2/5/2007 9:42 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

actually if you check the core modules you'll find this function is extensively used. The guidance is to ensure that it is used where untrusted user input can occur i.e. anywhere where an anonymous individual can post content e.g. forum posts, blog comments, core user registration etc (the forum issue we are investigating looks like a single field is unfiltered). In addition, many modules will also filter various pieces of their content - but that's up to the individual module teams.

As for modules that aren't filtered such as text/html, that's because these modules come with implicit trust i.e. your site administrator has given you the rights to edit that content, meaning you're a trusted user.

FYI: I once attempted to add a core level filter that could be enabled on a module basis e.g override the render of the control and filter the contents. This prove to be very difficult to get working reliably, due to the variances in html content from skins etc. As the standard guidance is to filter/encode content on the way in, rather than the way out, I shelfed this side-project. I may revisit it at some point (e.g. add an additional optional interface to allow output filtering).

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
2/5/2007 10:41 AM
 
mike qu

Joined: 1/26/2004
Posts: 19
Thanks cathal that made a lot of sense. It's good to know that at least the DNN core developers are well aware of the security issues on code injections. However don't you think this is something that is worth emphasizing so the webmasters can at least keep a mental note and watch out for any inappropriate attempts from their users? It seems the issue has been way overlooked by many 3rd party module (many are PAID ones) authors as well. I see so many DNN sites running unsecured setups using various 3rd party modules. News/articles related, content management, forums, custom forms, you named it!

P.S. In regards to the Blog module, even though the comments area is protected, the composing area is not. On sites that allow users to create their own blogs freely, this can be a security concern because a potential attacker can simply create their own blog with malicious codes. Anyone who visits such blogs will be in danger.
 
 Page 1 of 1
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Is hacking easy with DNN ???Is hacking easy with DNN ???


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out