Register | Log In
Store Download Support Blogs Forums Contact
News > Security Policy > securitybulletinno31

HTML/Script Code Injection Vulnerability

Published: Nov 26, 2009

Edited: Feb 4 2010 (updated Urlscan URL)

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has a search function which redirects to a custom results page.

Issue Summary

Whilst the search function filters for dangerous script , recently code was added to show the search terms and this failed to filter. The code has been refactored to filter the input to ensure that cross-site scripting attacks cannot occur.

Mitigating factors

To protect against attacks that attempt to use invalid URL's, users can install the free Microsoft URLScan utility(http://www.iis.net/expand/UrlScan). This is a recommended install as it offers protection against a number of other non-DotNetNuke specific URL based issues.

Affected DotNetNuke versions

4.8 - 5.1.4

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.2.0 at time of writing)

Acknowledgments

Scott Bell, Security Consultant, Security-Assessment.com

Security Policy


Click here to read more details on the DotNetNuke Security Policy

Attend A Webinar
Try An Online Demo
Download DotNetNuke Professional Edition Trial
Have Someone Contact Me

Like Us on Facebook Join our Network on LinkedIn Follow DNN Corporate on Twitter Follow DNN on Twitter

Advertisers

Sponsors

DotNetNuke Corporation

DotNetNuke Corp. is the steward of the DotNetNuke open source project, the most widely adopted Web Content Management Platform for building web sites and web applications on Microsoft .NET. Organizations use DotNetNuke to quickly develop and deploy interactive and dynamic web sites, intranets, extranets and web applications. The DotNetNuke platform is available in a free Community and subscription-based Professional and Enterprise Editions with an Elite Support option. DotNetNuke Corp. also operates Snowcovered.com where users purchase third party apps for the platform.
Copyright © 2002-2012 DotNetNuke Corp. / Terms of Use / Privacy
Hosted by MaximumASP