Download DOWNLOAD
Forums FORUMS
Blogs BLOGS
Forge FORGE
Help HELP
Marketplace MARKETPLACE
DotNetNuke Home
 
Search
You are here >   News > Security Policy > securitybulletinno31
Register  |  Login
Purchase

HTML/Script Code Injection Vulnerability

Published: Nov 26, 2009

Edited: Feb 4 2010 (updated Urlscan URL)

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has a search function which redirects to a custom results page.

Issue Summary

Whilst the search function filters for dangerous script , recently code was added to show the search terms and this failed to filter. The code has been refactored to filter the input to ensure that cross-site scripting attacks cannot occur.

Mitigating factors

To protect against attacks that attempt to use invalid URL's, users can install the free Microsoft URLScan utility(http://www.iis.net/expand/UrlScan). This is a recommended install as it offers protection against a number of other non-DotNetNuke specific URL based issues.

Affected DotNetNuke versions

4.8 - 5.1.4

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.2.0 at time of writing)

Acknowledgments

Scott Bell, Security Consultant, Security-Assessment.com

Security Policy


Click here to read more details on the DotNetNuke Security Policy
DotNetMushroom
DotNetMushroom is the web design and web application development division of Holistic – a Microsoft Partner, Software development company based in Malta, Europe. Our services range from standard as well as custom DotNetNuke skins and modules to entire DotNetNuke driven websites. DotNetMushroom is also the home of the DNM Rapid Application Developer (DNM RAD), a DotNetNuke module which enables the creation of entire applications with interlinked forms and intelligence.
www.dotnetmushroom.com 		(Somwhat) Daily DotNetNuke Tips and Tricks
If you're looking for useful DotNetNuke Tips and Tricks be sure to check out http://www.dnndaily.com/
DNNDaily.com 		R2i - Your DotNetNuke Solution Partner
R2integrated (R2i), a digital marketing and technology firm, is a nationally recognized DNN expert providing award-winning design, custom module development and consulting services.
www.R2integrated.com/DNN

DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation

Hosted by MaximumASP