Urgent Forum Security Information (DotNetNuke Core Forum) 

As you all have noticed from my post above today I identified an issue with a javascript exploit on the forums module. This blog will give you step-by-step instructions on a few simple additions to the word filter that should prevent you from being affected by the exploit.

NOTICE: I have identified this exploit and I have notified the DotNetNuke core team regarding what happened to my site.  I do not know the scope of this issue, however, since I have identified a workable solution I wanted to be sure to share it with the community as soon as possible.

My recommended solution is to add word filters to remove potentially harmful pieces of code and to replace them with non-harmful text.  This is not the most elegant solution as the display to the users might be a little unusual, however this will ensure that your forums are not exploited in a manner that would be harmful.

The following is a listing of the recommended match and replacement text.  My recommendations are to prevent the insertion of javascript and javascript only, you can continue and add other replacements if you have other input that you would like to prevent. You can put anything you desire as the replacement text, but I recommend that you use the exact match text to ensure the best possible matching.  After this listing I will show you how using the forums admin to set these values in the system.

Match TextReplacement Text
<scriptBegin Script
</script>End Script

To add these to the word filter in the forums module you must be logged in as an administrator, then follow the below steps.

  1. From the SolPart action menu select "Forum Administration"
  2. Click on the link for "Word Filter"
  3. Click on "Add Word"
  4. In the "Word to filter" box type the item listed in the "Match Text" listing above
  5. In the "Word to replace" box type the item listed in the "Replacement Text" listing above
  6. Press "Update" to add the word
  7. You will then see the listing of words to filter, you will notice that the word to filter column is blank, this is due to the HTML not being filtered and converted. Do not worry your input was saved. (Screen show below shows the display)
  8. Repeat from step 3 to add additional words

Figure 1: Word Filter Display

By performing the above additions to your forum module you should be able to fully protect yourself from script injection. REMEMBER, as I noted before these are ONLY my observations and this process is provided for your information only and does not come with any warrantee expressed nor implied that it will fully protect your site. If you have any questions regarding this post please feel free to e-mail me directly or comment below!

Posted by Mitchel on Thursday, March 29, 2007
Tags: DotNetNuke, Tutorials
 

Comments

do you know if the filters work on the forum signature as well?
In addition to being unable to get the core forum to do simple things like allow avatars, move threads, etc.- being unable to secure the forum by disallowing html has made the core forum an "also ran" for me...
Here's hoping the anticipated next version is worth waiting for!

By Dan on Thursday, April 05, 2007 at 7:29 PM

Now, that I think about it I didn't test the signature......

By host on Thursday, April 05, 2007 at 7:29 PM

Mitchel- I'd be surprised if the filters do indeed work against the signatures, that just seems way to well planned for this module. IF it happens that, as I suspect, the allowed html in the signature is exempt from your posted filter/patch- feel free to delete/paraphrase/whatever these comments if you think they contribute to the problem.

However, I don't think I am letting any cats out of the bag on this one. In my recollection, the html vulnerabilities of the forum have been well known since way, way back.

Cheers!

By Dan on Thursday, April 05, 2007 at 7:59 PM

Actually the more I think about it I don't think it would be an issue with the signature, I do not believe that the filters will catch the signature, but due to the method used to save the signature there might be some filtering......

By host on Thursday, April 05, 2007 at 8:01 PM

Name (required)

Email (required)

Website

CAPTCHA image
Enter the code shown above:

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Friend of RedGate

www.datasprings.com - DotNetNuke ModulesICG

Click here for advertising information.

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.