A DotNetNuke 4.5.1 package was posted for public download yesterday. This release contains fixes to a number of issues identified after 4.5.0 was publicly released.

Specifically: 1. FCKEditor - there was an issue when using FCK Editor on a Site vs. Virtual Directory when trying to insert an image from the gallery. This was fixed in the FCK Editor provider. In addition, the Preview option in the Html/Text editor would result in double path specifications for images. This was fixed in the core framework....

A new version of the forum module has been released to deal with some critical issues

This issue involves a potential phishing risk where malicious users could create a link that appeared to be approved by a site owner, that might convince an unwary user to visit an untrustworthy location. Whilst this issue cannot cause harm on the users portal itself, as it can lead to a loss of confidence in a site, we elected to give this issue a status of medium.

...

A few versions back we added a DisplayName parameter to the user profile, so that users could give their preferred name. This was added after a number of community requests for an alternative value to display user information. Before modules and core code displayed either the username (e.g. "cathal)" or else showed the Firstname and Surname fields (e.g. "cathal connolly"). However, in some cases neither of these are ideal, such as cultures where the users name takes the form Surname, Firstname. Whilst this solved...

In 4.5 four new fields have been added to the Host Settings menu. The first two additions provide useful information. The Relative path field displays the relative location of the application in relation to the root of the site (for sites running in the root, this will be blank) and the Physical path field displays the physical location of the site root on the server.

The next field, Permissions, utilises a new SecurityPolicy class to determine if a site supports key code access security permissions....

Anyone reading Microsoft/asp.net blogs recently is sure to have seen the 5 things meme , where you post 5 things that most people don't know about you. I've been tagged a few times on my other blogs, and seeing as I've been writing mostly dry, technical posts here recently, I thought I'd cross-post my 5 over here.

1. I nearly quit my undergrad Computer Science degree in final year as I'd only attended 7 hours of lectures (out of about 300 hours). Amongst other reasons my girlfriend became agoraphobic...

This year I've been asked to take on the roles of Core Team Trustee / Security Manager. I'll not discuss the Trustee role too much as this details them well, but I'd like to chat about the Security Manager role a little.

The security manager role formalises what I've been doing in an informal fashion over the past few years. Some of my key responsibilities include :

Regularly review the code for any potential issues introduced, or any that surface due to new/popular attack vectors. ...

Since my blog post the other day there have been a number of emails/posts with various questions, so I thought I'd aggregate the answers here to help those curious about further details.

Q. Now that skins support dynamic doctypes, will my existing skins work, or do I need to create the new xml file for skins to work?

A. No, if theres no xml file, then we will continue to use the legacy doctype declaration, so you don't have to make any changes to your existing skins.

Q. Why did you do it...

Whilst the 4.4 release predominantly focussed on performance and optimisation, there were a number of other enhancements added to the release (as always the changelog is the best place to view changes). One of these, that should be of interest to skinners and those interested in accessibility standards & xhtml compliance, is support for skin level doctypes .

Historically, if you wanted to target your skin/container for a particular version of html/xhtml, you had to manually edit the default.aspx...

The newly released 3.3.7/4.3.7 versions contain a fix for a medium security issue where anonymous users could gain access to vendor details, and create, delete and update them. There are some mitigating factors i.e. for this issue to have an effect you would have to have enabled vendors and be using the banners module, but we advise all users to update to the latest versions. The issue can also be resolved by running a sql script to update the approriate database record, please read the bulletin for further details.

...

The newly released 3.3.6/4.3.6 versions, contain a number of security fixes. These were brought to our attention by David Kirby & Christiaan Mellars of Risborrow Information Systems Ltd. One of the bulletins discusses an issue rated as critical and the other discusses two problems fixed as part of a To fix these issues you are recommended to update to either 3.3.6 or 4.3.6.

You can read more...

Early today Google released Co-op , a way to create your own custom search engine, using Google's search engine to index pages and websites you select. It's pretty easy to set up, and you only need to add a bit of code to your website/blog to use the search.

However, if you're an IE7 user, you can also use their support for search providers to point your searchs to your co-op search engine. Joe blogged about a useful site for automatically creating search providers recently, and I noticed that a community member, Daniel Struves has already set up an engine, so a quick trip to here ,...

The newly released 3.3.5/4.3.5 versions, contain a fix for a HTML code injection vulnerability that was brought to our attention by Roberto Suggi Liverani & Antonio Spera of Secure Shapes. To fix this issue you are recommended to update to one of those two versions.

You can read more detail about this issue here

This is such a common question in the blog forums I thought it was worth a blog entry of it's own. The confusion stems from the fact that most people assume it will be a value that you can change via the module settings, and when they don't find it there, they assume it can't be changed. However, it's actually exposed as a localizable field, which is a better practice than creating a module specific setting (typically I'd recommend that you expose all rarely changeable fields such as text labels, error messages...

Just a short note to let people know that work has began again in earnest on the blog module. Previously Hans-Peter has virtually single-handedly done all the work on this module, but is taking a break at the minute, so a few other members of the team are getting up to speed, and hope to squash a few bugs and add some commonly asked for features. 

We've just updated one of our recent security bulletins (DNN 2006-1-M) with some additional advice. The bulletin contained two suggestions to fix the issue. The first suggestion, updating the portal to the latest version (3.3.4/4.3.4) is still the recommended option.

The second suggestion was to replace the default freetextbox (FTB) htmlprovider, with an alternative provider such as FCK. However, the bulletin should also have contained advice to  remove the FTB editor provider and associated dlls....

The new versions of DotNetNuke,3.3.4 & 4.3.4, have just been released. As well as fixing a number of issues (check the roadmap for details), two security problems were fixed. We've released security bulletins for both these items that detail the problems, as well as the DotNetNuke versions affected. You can find links to both bulletins as well as the security policy itself here .The first of the bulletins, DNN 2006-1-M,...

Recently a community member, Chris Smith from netdatadesign, was kind enough to put together some really useful additions to the documentation in the form of a CHM containing database documentation and a visio file detailing the ERD. You can find copies of both of these on the project documentation page .

If you're using XP, when you download the CHM don't forget to right click on it, go to properties and press 'unblock', and for those without Visio you can download a copy of the free Visio Viewer...

Recently we added a couple of new guides to the documentation download you can find here , that should be of interest to both developers and people who deploy DotNetNuke installations. The first ,"Hardening DotNetNuke Installations.pdf", explains some of the areas where users can harden the security model of DotNetNuke installs. It contains advice for both planned installs (“preinstallation hardening”) and existing installations (“post-installation hardening”).

The second "Secure Module Development.pdf",...

Sometimes you'll see us use the phrase 'eating our own dogfood' or 'dogfooding' when we're testing a new DotNetNuke build. Odd though this phrase may seem, it's not uncommon in the IT industry, in fact  Microsoft are often credited with inventing it. Wikipedia have a good description of it's purpose and benefits, but in DotNetNuke terms, it's refers to us upgrading the dotnetnuke.com site to test a proposed release.

You may be wondering how come if we have so many testers, coreteam members, project...

Back in the early days of DotNetNuke (1.08 from memory), a community member came forward with the series of changes needed to make DotNetNuke ADA-508 compliant. These were merged into the codebase and for a couple of releases the core was fully compliant. Maintaining core compliance wasn't too difficult, as in those days the ability to change look and feel was relatively limited (you had to hack the files directly in most cases) 

With version 2.0 and the introduction...

Webpage contents can be cached in a number of different places including the browser making the request, the Web server responding to the request, and any cache-capable devices, such as proxy servers, that are in the request or response stream. In asp.net the HttpCacheability Enumeration has a number of different settings with ServerAndNoCache being the one that was hardcoded into DotNetNuke. This setting ensured that content was...

*** Note: This is not a DotNetNuke vulnerability, the issue exists in modules developed by an independant developer, www.dnn-modules.com ***

I'm glad to see someone at Microsoft realised the notion of making most of the Express product line free for download for only a year was a poorly planned marketing snafu , and today updated the FAQ for the Express products making them free forever. As the Express products are great for RAD development of modules, as well as getting up to speed quickily via the very handy starterkits ,...

I'm just back after 6 weeks holiday travelling around south-east Asia. Before I left, I let the other coreteam members and my project teams know I'd be away, but it never occurred to spread the word any further.

At the minute I'w wading my way through 7,000+ emails, and was surprised by the number of community members who either have found my email address or are relaying email enquiries through various blogs or forums. Hopefully most of you got my out-of-office reply, but if not, I'll get answers out...

A common security problem for web applications is cross-site scripting (XSS). Cross-site scripting attacks are usually created when some user input is rendered as part of the output of a page. In DotNetNuke we have a number of core functions which are used to help detect and protect against XSS attacks, but due to the large number of different browsers, with different exploits and the ability to encode and disguise an XSS attack, it's difficult to protect against all of them (a recent survey recorded 90+ variants)....

At the vs.net2005/sql2005 launch event in Dublin tommorow, there will be a few additional tracks in the afternoon. I'm doing one on Business Intelligence in SQL 2005, so Microsoft offered to let me do another session on DotNetNuke. They were delighted when they found out that we had a 2.0 compatible version, and are going to be plugging Charles excellent work on the starter kit in the keynote speech.

I've put together a session...

In ASP.NET 1.1 persistent cookies are created via FormsAuthentication.SetAuthCookie, which doesn't have a setting to specify how long before the cookie expires. The cookie is actually created with a rather optimistic (and frankly insecure) 50 year expiration date.

This has been changed in asp.net 2.0, and now persistent cookies take their lifetime from the timeout value in the node in the web.config. As this value is set to 60 in the default dotnetnuke web.config, this is the value that will be used to determine how long a persistent cookie lasts for (note: the default value for forms authentication is 30 minutes if it's not specified).

...

For a long time, sites such as Monster have had lots of Dotnetnuke opportunities, but Ireland has lagged behind much of Europe and the US in moving to .Net. Lately though, we've been catching up well, with substantial numbers of companies moving to the framework.

I know theres a lot of Dotnetnuke interest locally, as after giving talks in Belfast and Dublin, I was approached by a number of Irish individuals...

This question was asked on the forums recently.The short answer is no. In the web.config we've enableViewStateMac  set to "true". This appends a hashcode to the end of every viewstate to prevent tampering. Whilst this error can be thrown for a number of legitimate reasons,...