Download DOWNLOAD
Forums FORUMS
Blogs BLOGS
Forge FORGE
Help HELP
Marketplace MARKETPLACE
DotNetNuke Home
 
Search
You are here >   News > Security Policy > security bulletin no33
Register  |  Login
Purchase

HTML/Script Code Injection Vulnerability

Published: Mar 16, 2010

Version: 1.0

Maximum Severity Rating: Low

Background

DotNetNuke has a search function which redirects to a custom results page.

Issue Summary

Whilst the search function filters for dangerous script , recently code was added to show the search terms and this failed to filter. Whilst this code filters for common XSS issues, a variant was found that could bypass the filter, so additional protection was added

Mitigating factors

The expression that could bypass the filter is only exploitable in a small subset of browsers namely Netscape Navigator 8.1 and Firefox 2.x.

To protect against attacks that attempt to use invalid URL's, users can install the free Microsoft URLScan utility(http://www.iis.net/expand/UrlScan). This is a recommended install as it offers protection against a number of other non-DotNetNuke specific URL based issues.

Affected DotNetNuke versions

5.0.0 - 5.2.3

Non-Affected Versions:

N/A

Fix(s) for issue

To fix this problem, you are recommended to update to the latest version of DotNetNuke (5.3.0 at time of writing)

Acknowledgments

 

Security Policy


Click here to read more details on the DotNetNuke Security Policy

 
Website Design :: SEO :: Server Maintenance
With over 10 years experience in the IT industry, Intuitive IT can assist you with all your technological needs. From web design to system setup, from long term strategy to instant problem solving, Intuitive IT can put the right technology in place to suit your business.
www.intuitiveit.com.au 		Custom Development Solutions
SuperSKa IT Solutions specializes in custom development for DotNetNuke websites.
SuperSKa.net 		DotNetMushroom
DotNetMushroom is the web design and web application development division of Holistic – a Microsoft Partner, Software development company based in Malta, Europe. Our services range from standard as well as custom DotNetNuke skins and modules to entire DotNetNuke driven websites. DotNetMushroom is also the home of the DNM Rapid Application Developer (DNM RAD), a DotNetNuke module which enables the creation of entire applications with interlinked forms and intelligence.
www.dotnetmushroom.com

DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation

Hosted by MaximumASP