Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0DNNPersonalization Cookie ERRORDNNPersonalization Cookie ERROR
Previous
 
Next
New Post
7/13/2009 11:08 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

you can't remove the value as it's required. It's simply a serialised profile object (e.g. similar to how Microsoft get their memberrole personalisation to work). I'm surprised you got that error as I believe it only occurs when pageValidation is enabled and DotNetNuke disables it(i.e. validateRequest="false" in your web.config).

I've never been convinced by this protection, as it's only dangerous if the application takes the contents of a cookie and uses it to output to the screen or build a dynamic sql statement. This same exception occurs if you examine the google urchin cookie used for analytics.

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/13/2009 12:37 PM
 
Miguel Rita

Joined: 2/16/2009
Posts: 7

Maybe i didn't make my self clear enough, sorry about that:

I'm not having this error message in the DNN 5.1 solution, but instead, in another  dot.net project running in the same server.

If i use "validateRequest="false"" in the affected project there is no problem, it works like intended, but it stills represent vulnerability in the code, i understand that.

So, i was comparing the cookies generated in the version 4.9 and in the newest release:

4.9

 

portalaliasid
84208D9B9EC0B95D94CE1FF864561948A200BF1021619126FDB711E1DD087F390554963
D8C919578E29D7CB358885E767B554F63183DC4DA6570A52517F13229D5E31D10E6C4668A5AAF97EF8AC96B6D
www.amt-consulting.pt/
9728 2428569472 30016468 1798789472 30016468
*
portalroles www.amt-consulting.pt/ 9728 2428569472 30016468 1798789472 30016468

*

5.1

 

 

.ASPXANONYMOUS
8hKJs2Y6ygEkAAAAMTEzY2U3ZDgtZWY1MC00NmU0LTk3ZTctZWFiZmFjMzMyYzYw0
webdev/
9216 3005444352 30030438 3712399472 30016468


DNNPersonalization
<profile><item key=":" type="System.String, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><string>True</string></item></profile> Webdev/ 9216 3601003520 30022505 3733144880 30016470

*

I'm not a developer, and i don't know if i'm posting something obvious about the cookie system, but something in this cookie is making other applications going nuts. I'm trying to figure this out, i don't want to revert my latest websites to the previous version of DNN :( ...

Can we use the original cookie format, like the one in  version 4.9 or 5.0 ?

Thank you very much for your aswers!
Miguel Rita.
 

 
 
New Post
8/18/2009 1:11 PM
 
b b

www.ima-gso.org
Joined: 4/15/2004
Posts: 29

I too am experiencing the same issue in a similar environment.  I notice that the error appears when I run the other app using localhost as the server address, but not when I use an external IP address to access the IIS server.  I'm running IIS version 5.1.2600.5512 (from inetinfo.exe) on an XP machine.  This server has DNN 5.1 installed as a localhost development PC (no external access) along with some other apps developed using .NET 2.0 and .NET 3.5 frameworks.  The error is occurring on a .NET 2.0 web application (haven't tested to see if it also appears on the .NET 3.5 apps).

I think that Miguel is on the right track -- there is something in the cookie files that DNN 5.1 creates that curiously is then picked up when other apps on the same server are run.  The error message denotes that it is suspecting a cross-site scripting attack -- one of those very vicious things that we all read about in the papers to avoid.  So, I'm asking along with Miguel for the development team to revisit what they have done to the cookies created by DNN 5.1 to eliminate the suspicion that DNN is engaged in tactics that could be interpreted as malware.

Thanks for looking into this very serious issue.
 
New Post
8/20/2009 12:08 AM
 
b b

www.ima-gso.org
Joined: 4/15/2004
Posts: 29

The key that my error comes from was found in the cookie file:  username@localhost.txt -- removing this from the cookie got rid of the security error that other apps running on localhost were showing.  It seems that the presence of these lines within a cookie that is used for multiple apps on the same host (localhost) causes issues.  Perhaps the solution is to have it go to another cookie file when localhost is used?

DNNPersonalization
<profile><item key="Usability:ControlPanelVisible0" type="System.String, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=[removedcodestring]"><string>False</string></item><item key="Usability:UserMode0" type="System.String, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=[removedcodestring]"><string>EDIT</string></item></profile>
localhost/
[removedcodestring]
[removedcodestring]
[removedcodestring]
[removedcodestring]
[removedcodestring]
 
New Post
1/6/2010 10:12 AM
 
cormac mac galloglai

Joined: 4/24/2008
Posts: 1

So is this still an open issue then? I have 5.1 running on a VM that I'm demoing to colleagues. There are also customer UAT sites on the same VM. I've noticed this error recently on the UAT sites (none are in use at the moment). I put it down to installing the Active Directory module. Will I have to take this version of DNN offline because there is no obvious fix?
 
 Page 2 of 3
Previous123Next 
Previous
 
Next
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0DNNPersonalization Cookie ERRORDNNPersonalization Cookie ERROR


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out