Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

Maximum ASP
  Ads  
Webhost4Life - $4.95 Windows Hosting
 


  Sponsors  

Meet Our Sponsors

CrystalTech Web Hosting™
Webhost4life, specialists in DNN hosting
Mad Development is a full service interactive agency focusing on the merge of design, technology, e-commerce, and affiliate marketing by providing total website solutions.
SteadyRain
DataSprings - Great Ideas. Always Flowing.
R2integrated - formerly bi4ce
 


DotNetNuke Forums
 
  Forum  DotNetNuke® Pro...  Blog Module [Le...  URGENT! Javascript injection brakes the public view
Previous Previous
 
Next Next
New Post 7/28/2008 8:50 PM
User is offline ch3nyong
14 posts
10th Ranked


URGENT! Javascript injection brakes the public view 

Hi all, I have a critical issue with blog module!

My site allows registered users to post comments, and moderation is disabled.

When someone posted such comment:

<script>

 
New Post 7/29/2008 12:37 AM
User is offline Dario Rossa
366 posts
www.dariorossa.it
8th Ranked




Re: URGENT! Javascript injection brakes the public view 

Hi ch3nyong,

the module team has been discussing long time about this weakness. This issue has been taken into account during the development of version 03.05.00, and script injection has been disabled along with most HTML tags. Version 03.05.00 has already been submitted to the release tracker, so you will not have to wait long to see this enhancement in action. 

In the meanwhile I suggest you to use moderation even on registered users to avoid malicious injections. I also remind you that you can easily check which registered user added the malicious script and eventually block him.

Best regards,
Dario Rossa

Dario RossaDario Rossa
Personal WebSite: http://www.dariorossa.it
DotNetNuke: http://dotnetnuke.dariorossa.it
 
New Post 7/29/2008 7:12 AM
User is offline ch3nyong
14 posts
10th Ranked


Re: URGENT! Javascript injection brakes the public view 

Hi Dario Rossa,

I appreciate alot on your response, and thank you for the indept explanation!

However, I still find it not tolerable when it comes to this kind of simple injection.

I have been an PHP guy until recently when I was assigned to work on a .NET CMS, and DNN was selected based on a few strengths.

Now that the site is in its final week before it goes live, and we are failed on the security due to this minor issue.

What we need is simply a javascript validation checking (e.g. halt submission if <script> tag is found, or sth similar) before postback is done.

Do you have any idea on how we can have quick fix on this?

Thank you!!
 
New Post 7/29/2008 9:30 AM
User is offline Dario Rossa
366 posts
www.dariorossa.it
8th Ranked




Re: URGENT! Javascript injection brakes the public view 

Hi ch3nyong,

you're right, this weakness to malicious script injection should had been taken into account earlier. However the next version will include a powerful filter to avoid any issues. To fix it in the current version you will need to open the actual module project, modify it and recompile. A good place to put the filter would be just before the comment is added to the database. I would suggest you to filter out also the HTML tags other than <img>, <b>, <u>, etc. because I experimented that also these ones can break up the page layout.

Best regards,
Dario Rossa

Dario RossaDario Rossa
Personal WebSite: http://www.dariorossa.it
DotNetNuke: http://dotnetnuke.dariorossa.it
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  DotNetNuke® Pro...  Blog Module [Le...  URGENT! Javascript injection brakes the public view
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


DNNSpired.com
Inspired to extend DotNetNuke®, everyday.
www.DNNSpired.com 		TMA Resources
TMA Resources is a software company providing eBusiness solutions for the Association market.
www.tmaresources.com 		DotNetNuke Hosting Provider UK
UK leading DotNetNuke Hosting provider. Owned and operated by a Microsoft Gold Certified Partner.
www.DNN-Portals.co.uk

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP