Posted by: cathal connolly
Wednesday, April 11, 2007 4:23:00 AM 

A new version of the forums module, 03.20.09, has just been released to address some critical security issues. The vulnerabilites that have been fixed were all cross-site scripting issues (XSS), where malicious users could potentially inject dangerous html and javascript into forum content.

The updated module has been packaged as part of the newly released  DotNetNuke 4.5.0 Install and DotNetNuke 4.5.0 Source packages that can be found on the download page (note: the updated module release is not in the DotNetNuke 4.5.0 Upgrade package as it does not contain updated module versions).  For users who wish to only update their forum module, the updated version is also on the download page in the DotNetNuke® Projects (New Releases)  section.

Publishing security bulletins is a difficult task, as we have to walk a thin line between providing users with sufficent information to determine if they need to update, and avoiding providing potential crackers with enough information to help them hack sites before the site owners have the opportunity to update. In this case, as a number of the forum issues are being actively exploited "in the wild", we are advising all users of the forums module to update to the latest version as soon as possible, as well as providing a higher level of detail in this post than most of our bulletins.

We first became aware of one of the forum XSS issues, when some hackers used it to inject javascript into the forums on dotnetnuke.com. The javascript executed when certain posts were read, and allowed the hackers to capture a small number (less than 10) of users authentication cookies. This allowed the hackers to copy the cookies into their browser cache and access the dotnetnuke.com site as though they were the users themselves. We were contacted by a number of these users who had their details altered, and began to track down the issue. A number of database scripts were ran to neutralise the attack vector and remove the XSS scripts, and the forums team began to work on an update to the module. A security audit was then performed and another variant was discovered (which to date has not been found to be in use by malicious users), which again the forums team promptly fixed.

The impact of the hack was relatively limited, as we were able to utilise some asp.net/DotNetNuke features to minimise the effects i.e.

• DotNetNuke uses the HttpOnly attribute to protect cookies against XSS attacks. This meant that users of Internet Explorer 6.01 or above were immune to the attack. However, users of other browsers such as Firefox/Opera were at risk.
• We use a short forms authentication timeout on dotnetnuke.com (the timeout value on the forms node).This ensured that captured cookies would expire in a short time period, reducing the usefulness of the captattacks.
• We edited the web.config file on dotnetnuke.com and changed the name of the forms authentication cookie (it's default value is ".DOTNETNUKE"). This has the effect of expiring all cookies as they cannot authenticate against the domain as the cookie name has changed. This ensured that any additional user authentication cookies captured were rendered useless. As the cookies are encrypted and cannot be tampered with, the hackers could not extract any useful information from them.

As the hacking attempt was discovered quickly, and the XSS strings erased from the dotnetnuke.com database, only a small number of users had their cookies captured. All of these were notified by email, and replied. If you did not receive an email from us, your details are secure.

I'd like to extend my thanks to the small group of forum users who demonstrated admirable community spirit in both reporting the issue to us, and keeping the details to themselves as we audited, fixed and tested the updated forums version. I'd also like to thank the forums team, particularly Chris Paterra, for their hard work on this issue. Despite being at a critical point of the development cycle for the 4.4 version of the module, they immediately stopped development on it and created and tested the 03.20.09 release under very tight time conditions (note: they've rolled the changes in this updated version into the forthcoming 4.4 version which is going through the release process at present)

**Edit : It appears sourceforge are having some issues propaging the forums update package around their mirrors. The following mirror can be used until the issue resolves itself. **

Trackback Print

Tags:

Categories:

Location: Blogs Cathal Connolly Core :: Security