Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
News › Security Policy › Security Bulletin no. 20 Register  |  

HTML/Script Code Injection Vulnerability when operating with multiple languages

Published: June 11, 2008

Version: 1.0

Maximum Severity Rating: Low

Background

To support switching between languages via the Language skin object, the skin object renders the existing page path along with the relevant country flag and a language token.

Issue Summary

The language skin object failed to encode the newly generated paths which meant that a hacker could inject html/script to perform cross-site scripting attacks.

Mitigating factors

Only DotNetNuke sites that have multiple language pack installs and use the Language skin object suffer from this flaw.

Affected DotNetNuke versions

All others

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.4 at time of writing)

Acknowledgments

Mauricio Marquez

Security Policy


Click here to read more details on the DotNetNuke Security Policy
 


Sunset Hill Solutions - Consulting and Development
We offer general DNN consulting services - including custom module development and commercial module integration/setup.
www.sunsethill.ca 		MaximumASP
MaximumASP provides a wide array of web hosting plans to fit any hosting need. We also provide software and services needed to keep it running optimally.
MaximumASP.com 		Mad Development: dotnetnuke design and development
We are an expert Dotnetnuke shop specializing in developing solutions that merge the requirements of design and branding, content management, ecommerce, search engine optimization and business logic.
www.MadDevelopment.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP