Posted by: Chris Hammond
11/7/2007 1:37 AM 

Cathal Connely's session is covering the basic security aspects of DNN and how you can utilize these functions within your own modules. Here we go:

Is DNN Secure, recent issues fixed in 4.7.0, Cathal will be blogging about the recent issues and make note of them in Gemini over the next few days.

DNN can only be as secure as the code itself and the modules installed. Third party modules can be culprits of security issues, check with your third party providers.

Top security issues

• IIS patches not applied
• Running default, anonymous FTP, passwords that haven't been changed
• Third Party Components
• DNN code issues

Security issues are all posted on the DNN security page, full details aren't listed as to not expose how to exploit, but enough information to allow an administrator to understand if the issue may effect them or not.

Many eyes theory doesn't work well in practice. Some companies will pay other providers to conduct security audits, and provide results back to the core team.

Web Application Security, Web Cohort report that 92% of web applications suffer from 1 or more vulnerabilities, which fall into the common groupings of

• Cross-site scripting
• SQL Injection
• Parameter tampering
• Cookie poisoning
• Database server
• Web Server
• Buffer Overflow

http://www.imperva.com/company/news/2004-feb02.html

Types of user input, Querystring, form collection, cookies, sessions, server variables, viewstate

Framework Protection - Cookies, authentication cookie encrypted. 4.3.5 release separates out temporary persistent cookie timeouts. Sessions aren't used within the core framework. Server variables, inputfilter.nomarkup userd where referenced. Viewstate, uses SHA1 to ensure viewstate cannot be tampered with, and 3DES encryption to stop viewing

Filtering user input

• Multiline - is really not a security function, replaces CRLF with <br /> tags
• NoMarkup - replaces HTML markup with html encoding equivalent
• NoScripting - search and strip any suspect HTML from strings.
• NoSQL - calls a function that searches string and strips anything out that might be a SQL injection attack

Cross Site scription

Relies on un-sanitized user input. Malicious script is sent to app, eventually echoed back to user's browser and executes

Commonly gains access to a user's cookie, javascript redirects for phishing.

SQL Injection

Sql is injected with hopes of being run when added to a database, dropping tables, data, etc.

Filtering User Input Demo

SQL injection demo, deleted commonts from a quick shoutbox demo

Starter Kit Module Demo

It looks like my battery is about to die so that is all for Cathal's presentation.

My opinion, Cathal is a great speaker, very enteraining for a 6'3" 45 year old blonde female.

Sorry for getting this posted so late. After we left the conference center we headed to dinner and out on the strip. Now I need to do some tweaks on my presentation for tomorrow morning! Another late night in Vegas

Trackback Print

Tags:

Categories:

Location: Blogs Chris Hammond