Does FCKeditor have a BadWords.Txt file that an admin can add lines to?
When a user hits the Save button... it should check to see if any of the words are listed in the BadWords.Txt file.
If there is currently no way to control content, then websites are at risk.

The comment  made elsewhere "Make sure your portal permissions are configured appopriately so that only trusted users can enter content"
is the ostrich putting her head in the sand, and not a suitable solution for DNN websites, either business or hobby.

Hi Barry,

Sebastian is right (as usual).  Despite the many, many (many!) public DotNetNuke installations out there, with all the myriad configurations, I am aware of only two that have been hit with the nihaorr1 injection.  Both of these are virtually certainly affected via third-party modules and cross-application contamination.  Of those two pathways of infection, the latter is the overwhelmingly more likely to be the cause.

The real morale of the story here: move your weak legacy ASP.NET applications to DotNetNuke, and you no longer have to worry about this particularly insidious injector!

Sebastian: I know you require all-SPs to pass the release process.  However, I recall seeing the use of the EXEC statement in a couple of these SPs (I believe I logged one of them in Gemini).  As this could be a backdoor avenue of infection, have you considered disallowing this particular statement from SPs that go through the release process?

Brandon

Yep -- as my Saturday homework, I just checked, and there are no relevant instances of sp_executeql calls in the core or the common modules that I happen to have installed on my dev machine.  The one instance that I found and logged awhile back (http://support.dotnetnuke.com/issue/ViewIssue.aspx?id=5128&PROJID=22) is not a security issue.  I figured you guys already had a procedure in place for such an eventuality.

And of course I meant sp_executesql in my previous post and not EXEC.

Brandon