As a former Xoops site admin (PHP/MySQL based) I found it interesting that, as it currently stands, DNN has has far fewer security issues then this (and most other) PHP based web site packages, according to this security site: http://secunia.com/

I always thought, from with what was said on the xoops and other PHP based forums, that going to a VB based package I was going to be hacked within hours. However, it seems according to this independent security site it is in fact, potentially, the other way around.

While DNN certaint has some issues that needs addressing, as a whole I am quite happy with it and glad I did make the switch.

Something I thought I'd share.

-Strauss
www.witchescodex.net

It's a little odd as within the security community at large PHP-based app's typically have a very bad name. Some of this comes from PHP being a scripting language that was never designed with security in mind (hence php itself has had dozens of exploits, whereas asp.net has had only 1 or 2 minor ones in 6 years), but lots of this comes from early php opensource projects being copied and propagating common security issues.

One of the strengths of DotNetNuke is that from the start it's data layer used stored procedures. This meant that a whole class of common security issues (sql injection) was virtually eradicated (whilst sql injection against stored procedures is possible in some cases it's much more difficult). As this was the way data access was coded in the core, virtually all modules for dotnetnuke used the same system as well (whereas modules for the likes of phpnuke often use dynamic sql) . As a system is only as strong as it's weakest point, having this occur early on in the life cycle has been very useful.

We've also had a dedicated security team for a number of years, who don't just react to new issues, but instead are always looking for ways to harden the default security model of dotnetnuke (e.g. adding code such as this to the core to reduce XSS effectiveness - http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/256/Default.aspx), and documenting best practices (e.g. http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/1027/Default.aspx ).

This is an area we take very seriously, and will continue to do so. There will be a number of security enhancements rolling out in the next few versions to continue making dotnetnuke as secure as we can.

Cathal

---

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US

This may be a little off track for this post, but while we're on the subject of DNN Security, I was recently sent information that suggests that there could be security concerns when using AJAX.   My company wants me to follow up on this with the DNN Community to see if we should be concerned about a large scale project we are working on using DNN.  We are using AJAX in third party modules and also developing modules using ListX and other traditional development environments.

The security information I was sent is available in the following links.

Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0

Ajax security: How to prevent exploits in five steps

I am not a developer myself, so I rely heavily on the DNN Community for answers to concerns about security.

Thanks in advance for any comments anyone might have about this.