Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsFCKeditorFCKeditorFirewall blocks FCKeditor cross-site scriptingFirewall blocks FCKeditor cross-site scripting
Previous
 
Next
New Post
6/29/2007 11:25 AM
 
bgresens

Joined: 5/31/2007
Posts: 6
We have not been able to get FCKeditor to work on any browsers inside the company firewall. Research revealed the folllowing from:

http://xforce.iss.net/xforce/xfdb/26539

"FCKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using specially-crafted Javascript code to execute script in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's cookie-based authentication credentials"

Our firewall blocks cross-site scripting, which probably explains why FCKeditor never loads. We are building a DOTNETNUKE site for a client that may have the same firewall settings.

Before we move further down the DOTNETNUKE option path, I desperately need to know if this is a pointless option. Namely, is there a workaround or fix?

Is there another Rich Text Editor that can be used instead of FCKeditor in DOTNETNUKE? If so, how do you do this?

Is there any way to implement FCKeditor without using cross-site scripting?

Any help would be GREATLY appreciate! :)
 
New Post
6/29/2007 4:02 PM
 
Mauricio Márquez

dnn.tiendaboliviana.com
Joined: 5/5/2003
Posts: 1126

First, I need to make sure you all know about what is Cross-site scripting

http://en.wikipedia.org/wiki/Cross-site_scripting

After that, you may know that FCKeditor only allows users to enter content. The same can be achieved by used a simple textbox.

The main idea of cross-site scripting is that anyone could use your input control to enter script code that can be used for other purposes than the required ones.

As I told you before, it does not matter if you are using a Rich Text control or a simple textbox, the content can always include some kind of scripting.

After the content is entered, a program (A module in our case) running at the server is the one that processes this content to store it or to show it again when requested. So this program or module is the one responsible for checking and cleaning  the malware.

Please take note that this could happen even if you are using other controls than rich text editors. By reading the xfore post, you must take care to read the "COULD" word.

I think the only way to be really out of being cross-scripted is to don't allow any content from external users.....but....maybe me and other prefer to receive external content.

DotNetNuke has made a lot of work to reduce the cross-scripting attacks as well as possible sql-injection attacks. I will ask Cathal to post to this thread to clarify a little more about it.

As the last comment for this post, I will say that ISS also manages my own firewall at work and my dotnetnuke is up and running as it is only javascript.

 

Locopon
Free modules: E-commerce, Complete localization (Portal, page, module settings, skins, etc.), Secure Login, and more
http://dnn.tiendaboliviana.com
 
New Post
6/29/2007 4:29 PM
 
Mauricio Márquez

dnn.tiendaboliviana.com
Joined: 5/5/2003
Posts: 1126

I will post the following link so you can see that DNN takes security very seriously.

http://www.dotnetnuke.com/News/SecurityBulletins/tabid/940/Default.aspx

I you are still concerned about this, you can use the information and guidelines there about security.

Last thing: 1/2 million are using DNN and  millions are using rich content editors. Do you think that all those people are being cross-scripted and continue to use those editors?

Locopon
Free modules: E-commerce, Complete localization (Portal, page, module settings, skins, etc.), Secure Login, and more
http://dnn.tiendaboliviana.com
 
New Post
6/29/2007 4:54 PM
 
Shaun Walker


Shaun Walker's Avatar

Shaun Walker's Avatar

www.siliqon.com
Joined: 5/27/2002
Posts: 1778

DotNetNuke assumes that users who are granted permission to enter content are trusted and therefore will not be inclined to add malicious scripts to their sites. This model breaks down somewhat in areas where modules allow untrusted users to contribute content which will be redisplayed on the site - examples are forums, blog comments, etc... Regardless, you have a number of options to consider.

1. Make sure your portal permissions are configured appopriately so that only trusted users can enter content

2. Do not include modules which allow for user contributed content on your site

3. As a last resort, you could create your own custom "RichTextEditorProvider" which prevents the entry of all script. This would obviously limit the creativity of users on your site by preventing them from adding any type of text formatting ( ie. bold, italics, underline, paragraphs ) or reference external resources ( hyperlinks, pictures, etc... ) in their content.

 

My comments are my own and are offered WITHOUT PREJUDICE

Shaun Walker
http://www.siliqon.com
 
 Page 1 of 1
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsFCKeditorFCKeditorFirewall blocks FCKeditor cross-site scriptingFirewall blocks FCKeditor cross-site scripting


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out