Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

AspDotNetStoreFront
  Ads  
Iron Speed Designer is a software development tool for building database, reporting, and forms applications for .NET without hand-coding.
 


  Sponsors  

Meet Our Sponsors

SteadyRain
DataSprings - Great Ideas. Always Flowing.
R2integrated - formerly bi4ce
Jango Studios - Skins, Modules and Hosting for DotNetNuke
eUKhost.com is commited to offer exceptional UK Windows Web Hosting solutions with quality 24x7 technical support.Our plans support ASP.Net, ASP, ASP.NET Ajax extensions, XML, MSSQL, MySQL, PHP,DNN, multiple domains and Shared SSL as standard.
SmarterTools
 


DotNetNuke Forums
 
  Forum  DotNetNuke® Pro...  Blog Module [Le...  URGENT! Javascript injection brakes the public view
Previous Previous
 
Next Next
New Post 7/28/2008 8:50 PM
User is offline ch3nyong
14 posts
10th Ranked


URGENT! Javascript injection brakes the public view 

Hi all, I have a critical issue with blog module!

My site allows registered users to post comments, and moderation is disabled.

When someone posted such comment:

<script>

 
New Post 7/29/2008 12:37 AM
User is offline Dario Rossa
341 posts
dotnetnuke.dariorossa.it
8th Ranked




Re: URGENT! Javascript injection brakes the public view 

Hi ch3nyong,

the module team has been discussing long time about this weakness. This issue has been taken into account during the development of version 03.05.00, and script injection has been disabled along with most HTML tags. Version 03.05.00 has already been submitted to the release tracker, so you will not have to wait long to see this enhancement in action. 

In the meanwhile I suggest you to use moderation even on registered users to avoid malicious injections. I also remind you that you can easily check which registered user added the malicious script and eventually block him.

Best regards,
Dario Rossa

Dario RossaDario Rossa
Personal WebSite: http://www.dariorossa.it
DotNetNuke: http://dotnetnuke.dariorossa.it
 
New Post 7/29/2008 7:12 AM
User is offline ch3nyong
14 posts
10th Ranked


Re: URGENT! Javascript injection brakes the public view 

Hi Dario Rossa,

I appreciate alot on your response, and thank you for the indept explanation!

However, I still find it not tolerable when it comes to this kind of simple injection.

I have been an PHP guy until recently when I was assigned to work on a .NET CMS, and DNN was selected based on a few strengths.

Now that the site is in its final week before it goes live, and we are failed on the security due to this minor issue.

What we need is simply a javascript validation checking (e.g. halt submission if <script> tag is found, or sth similar) before postback is done.

Do you have any idea on how we can have quick fix on this?

Thank you!!
 
New Post 7/29/2008 9:30 AM
User is offline Dario Rossa
341 posts
dotnetnuke.dariorossa.it
8th Ranked




Re: URGENT! Javascript injection brakes the public view 

Hi ch3nyong,

you're right, this weakness to malicious script injection should had been taken into account earlier. However the next version will include a powerful filter to avoid any issues. To fix it in the current version you will need to open the actual module project, modify it and recompile. A good place to put the filter would be just before the comment is added to the database. I would suggest you to filter out also the HTML tags other than <img>, <b>, <u>, etc. because I experimented that also these ones can break up the page layout.

Best regards,
Dario Rossa

Dario RossaDario Rossa
Personal WebSite: http://www.dariorossa.it
DotNetNuke: http://dotnetnuke.dariorossa.it
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  DotNetNuke® Pro...  Blog Module [Le...  URGENT! Javascript injection brakes the public view
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


Alki Homes - Seattle, WA
Exemplary service for your Seattle Real Estate needs. It's what you deserve from your Realtor®!
www.alkihomes.com 		PointClick DotNetNuke Solutions
PointClick Technologies provides high-end DNN Hosting for businesses.
PointClick.Net Hosted Solutions 		Active Modules, Inc.
Creators of Active Forums, the best forum module for DotNetNuke
www.activemodules.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP