Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...SQL Injection Attack or, the big ironySQL Injection Attack or, the big irony
Previous
 
Next
New Post
3/29/2011 1:31 PM
 
Carlos Rodriguez

www.almacigo.com
Joined: 6/10/2003
Posts: 615
No it did not happen to DNN, but you must find the irony kind of funny, see this link.

Another reminder that your data entry controls must always wear protection (or sanitize the entered data)...
 
New Post
3/30/2011 3:50 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
:)
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
4/3/2011 9:09 AM
 
abecedarian

Joined: 12/4/2005
Posts: 95
Are there more DNN users saying this SQL injection attack didn't affect DNN sites, at least the 5.x + version?
 
New Post
4/3/2011 9:51 AM
 
Wes Tatters


Wes Tatters's Avatar

Joined: 4/30/2004
Posts: 2155
So far it seems that DNN itself does not have an open access vector of the style used in the recent SQL injection attacks.  

Though there is not a lot of really strong information on the exact nature of the injection methods currently being utilized, but for the most part it would appear to be related to older versions of MS SQL and poorly written asp web applications based on out dated web methodologies.

One of the big issues with the internet, is that very few web sites are willing to keep stumping up money to ensure their sites are kept up to date.  There are millions of older asp based web sites out there for example, running on web servers that are over 10 years old.  Yes they may have been patched and kept up to date with service packs - BUT in many cases the actual methods used on these sites to accept data has itself not always been updated. 

One of the most common and effective way of mitigating SQL injection attacks is to ensure that all SQL queries in an application use parameterized access calls and  to ensure that any input fields are filtered for invalid sql escape type codes.
DNN falls into the first category by default given its use of a database provider model that does not allow direct access to the SQL calls themselves.
But having said this - this does not actually mean that ALL 3rd party modules would be safe - they could possibly become compromised if badly written. 

Westa
 
New Post
4/5/2011 9:54 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
We have no recent reports of any DotNetNuke sites being subject to this issue (which is not surprising as by default we use stored procedures exclusively and are typically not vulneable to sql injection). Whilst it's possible a 3rd party module may introduce a sql injection vector, to date we don't have reports of any outstanding modules with this problem.
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...SQL Injection Attack or, the big ironySQL Injection Attack or, the big irony


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out