Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Cross site request forgery / ViewStateUserKeyCross site request forgery / ViewStateUserKey
Previous
 
Next
New Post
8/31/2011 7:43 AM
 
Patrik Johansson


Joined: 8/5/2004
Posts: 333
We currently had a security company do a intrusion test on our web application, based on DotNetNuke, and one issue that was reported was regarding "Cross site request forgery" (http://www.dotnetnuke.com/Resources/W...). Apparently, they said the could still do it in DNN 5.6.3, even though this was supposed to have been fixed in DNN by adding the following to page_init:

'add viewstateuserkey to protect against CSRF attacks
            If User.Identity.IsAuthenticated Then
                ViewStateUserKey = User.Identity.Name
            End If

When looking around on the internet regarding this, I've seen that most other corrections for this seem to be based on

ViewStateUserKey = Session.SessionID;

rather than:

ViewStateUserKey = User.Identity.Name

and having looked in the debugger, we've seen that they do not contain the same information (SessionID should be unique to the session, while UserName is unique to the user but not the session).

Is this difference any reason to be concerned? Also, we only looked at the Page_Init in Default.aspx.vb, do we need to implement anything in our modules with regards to this?
 
New Post
8/31/2011 12:46 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
The primary focus of viewstateuserkey is to make sure that 1 user cannot generate a viewstate block and replay it against another user e.g. cannot do actions as an admin or one portal and use that to replay those actions on a portal where the user is not an admin. Usin the user.identity.name is acceptable (as listed http://msdn.microsoft.com/en-us/libra... ). Session is also recommended as it adds the fact that the users sessions time out also -
http://msdn.microsoft.com/en-us/libra... , however this has a (pretty big) disadvantage of not working on webfarms so we went the user.identity.name route.
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
8/31/2011 6:10 PM
 
Patrik Johansson


Joined: 8/5/2004
Posts: 333
cathal connolly wrote:
The primary focus of viewstateuserkey is to make sure that 1 user cannot generate a viewstate block and replay it against another user e.g. cannot do actions as an admin or one portal and use that to replay those actions on a portal where the user is not an admin. Usin the user.identity.name is acceptable (as listed http://msdn.microsoft.com/en-us/libra... ). Session is also recommended as it adds the fact that the users sessions time out also -
http://msdn.microsoft.com/en-us/libra... , however this has a (pretty big) disadvantage of not working on webfarms so we went the user.identity.name route.

 Thanks for your quick reply.

So will the solution implemented protect against the "one click attack" described in your second link? It should be mentioned that we currently have a discussion with the company doing the intrusion tests regarding if this test was actually successful (ie could be exploited) or not, as they might have done a test that wasn't actually using ViewState at all. But if it was, then that should most likely mean that DNN 5.6.3 is not secure from one click attacks, how concerned should we be about this?
 
New Post
8/31/2011 7:14 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
viewstateuserkey protects against cross-site request forgery (one click attacks are just a simplified term Microsoft dreamt up for that article). There are no reports of it not working correct - obviously it assumes that it is working within a postback mechanism (i.e. GET requests to a page that automatically executes code as part of the page lifecycle arent prevented), also viewstatemac must be enabled (which is the DotNetNuke default). It is possible to do an attack as a user but you must have captured that users viewstate already to do that - the viewstateuserkey ensures it's specific to the user.
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
8/31/2011 7:22 PM
 
Patrik Johansson


Joined: 8/5/2004
Posts: 333
cathal connolly wrote:
viewstateuserkey protects against cross-site request forgery (one click attacks are just a simplified term Microsoft dreamt up for that article). There are no reports of it not working correct - obviously it assumes that it is working within a postback mechanism (i.e. GET requests to a page that automatically executes code as part of the page lifecycle arent prevented), also viewstatemac must be enabled (which is the DotNetNuke default). It is possible to do an attack as a user but you must have captured that users viewstate already to do that - the viewstateuserkey ensures it's specific to the user.

 Yes, as you mention and I also wrote in the subject, CSRF is the correct therm to use.

When you say default in DotNetNuke, I assume you mean fresh installations? As many other users I would assume, our installation is a summary of several upgrades, and thus web.config might not be exactly as in a fresh release of the latest versions. What are the settings to look for and verify here?

The CSRF attack used in the testcase was to fake the user into going to another site which then where able to send a "command" to our site which made the user logout, or rather being logged out (the user was logged in before). I've asked for more information about this to determin if the test case was not correct, or if the CSRF fix in DNN wasn't working as it should.
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Cross site request forgery / ViewStateUserKeyCross site request forgery / ViewStateUserKey


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out