Archive
Monthly
Go
|
|
DNN Blog
Jul
31
Posted by:
cathal connolly
7/31/2008 9:35 PM
Recently we've received a number of emails to the security@dotnetnuke.com alias from users who's sites have suffered from sql injection enquiring whether DotNetNuke has any sql injection issues. The short answer is no. For sql injection attacks to work typically the code needs to execute dynamic sql i.e sql statements that are built up via concatentation and executed directly against the database or else within a stored procedure that executes the statement via EXEC or sp_execute. As a matter of policy we avoid using both those approaches and instead only use stored procedures with parameters, so default installations of DotNetNuke and any core modules are not vulnerable to sql injection attacks.
So far all the instances we've been aware of have tracked their problem to the recent automated sql attack that's been plaguing sites of all types and technologies (Microsoft have some good analysis of the problem here ), so if you're experiencing issues I'd recommend you check out any legacy sites and 3rd party modules.
There are a number of tools that can help mitigate sql injections, including code review tools and filters to stop typical injection attacks. Theres a good list of tools and capabilities here worth checking out here.
16 comment(s) so far...
Re: is DotNetNuke vulnerable to sql injection?
I've actually seen quite a few SQL Injection attempts on my personal site lately (4.8.4), they're attaching any querystring parameters they can locate. I've had no intrusions so far
By christoc on
7/31/2008 10:59 PM
|
Re: is DotNetNuke vulnerable to sql injection?
@christoc, thats the automated work, it uses search engines to find pages and then appends the sql injection attempt to the querystring - usually without dotnetnuke you see default.aspx?tabid=xx&DECLARE...rest of sql injection or else linkclick.aspx?tabid=xx&DECLARE...rest . DotNetNuke is not vulnerable to either or these.
By cathal on
7/31/2008 11:00 PM
|
Re: is DotNetNuke vulnerable to sql injection?
I have a site drawing some interest, but it's using (attempting) the document module. I look like: /LinkClick.aspx?fileticket=ZmIogdlv%2Fp4%3D&tabid=58&mid=453;DECLARE%20@S%20VARCHAR.
Anyone encountered this?
By cjsmitty on
8/1/2008 4:17 PM
|
Re: is DotNetNuke vulnerable to sql injection?
we checked a fresh DNN installation (4.8.4) using IBM AppScan these days ... and i couldn't find any issues.
By bbhermann on
8/1/2008 4:17 PM
|
Re: is DotNetNuke vulnerable to sql injection?
yeah, our website had the same experience of the sql injection.
By sunwangji on
8/1/2008 4:17 PM
|
Re: is DotNetNuke vulnerable to sql injection?
@cjsmitty, that's very like the majority of attempts we've had reports of, it's nothing to worry about and doesn't work (AFAIR the mid querystring value also expects an integer so it causes an exception)
By cathal on
8/1/2008 4:18 PM
|
Re: is DotNetNuke vulnerable to sql injection?
This is one reason that I use ListX for most database access. It does have some tools to deal with sql injection.
/DaveS
By DavidWSnow on
8/4/2008 3:24 PM
|
Re: is DotNetNuke vulnerable to sql injection?
Are the querystrings in IFrame modules exposed to this attack?
By plord on
8/6/2008 4:51 PM
|
Re: is DotNetNuke vulnerable to sql injection?
@plord, no - no core dotnetnuke module, including iframe, is at risk from sql injection.
By cathal on
8/6/2008 4:52 PM
|
Re: is DotNetNuke vulnerable to sql injection?
I'm noticing a ton of these, plus something that seems to take every page of my site and looks for either "test.aspx" or "~AppScan". Not sure what's occuring but I've been told not to worry about it. It's more a factor that my Event Log gets clogged up with maybe 3 dozen of these things per day.
By MarkHGordon on
8/27/2008 10:07 AM
|
Re: is DotNetNuke vulnerable to sql injection?
@MarkHGordon, AppScan is a popular vulnerability scanner usually used by organisations to check that their sites dont suffer from known issues. Judging by the term "AppScan" either someone inside your organisation is using it legitimately or someone external is deliberately scanning your site looking to hack you - i.e. it's not a sql injection attack you need to worry about but rather a more focussed probe.
By cathal on
8/27/2008 10:10 AM
|
Re: is DotNetNuke vulnerable to sql injection?
Cathal,
Thanks. I'm getting the SQL Injections plus the AppScan stuff so I thought they were one and the same.
My county IT department is trying to say that my selection of internet is a security risk (for some reason they just don't like us), so I know they've been trying to hack into it, probably to prove their point of view. I'm hoping DNN 4.8.4 is secure enough that it rebuffs them.
Can you tell they have no love for us? :-)
Thanks,
Mark
By MarkHGordon on
8/27/2008 6:44 PM
|
Re: is DotNetNuke vulnerable to sql injection?
Could we use SiteUrls.config to create a re-write rule to filter this junk from getting into our sites. We don't think that we need them crashing the application and generating error messages in DNN and Windows event logs.
By bcasson on
9/2/2008 2:35 PM
|
Re: is DotNetNuke vulnerable to sql injection?
@bcasson, yes this is possible. If i get some time I may work on this and blog the results but I have other items I have to finish first. In future please only post 1 comment, I did not enjoy having to delete 21 duplicates.
By cathal on
9/3/2008 3:49 PM
|
Re: is DotNetNuke vulnerable to sql injection?
Is anyone using UrlScan version 3.0 RTW? I believe if configured correctly it would filter a lot of those attempts.
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1697
By penra on
9/11/2008 9:37 PM
|
Re: is DotNetNuke vulnerable to sql injection?
I was just hit with one. It inserted a script tag going to yahoosite.ru/index.js into the ControlSrc field of every entry in teh ModuleDefinitions table. Messed up the whole site. There were a bunch of core tables affected, but the only 3rd party module that was affected was the ***module name removed by moderator - please inform the vendor seperaterly *** module. Could be a hole in the security.
By Derek Gentry on
10/26/2009 9:48 PM
|
|