New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

Security manager report card 2007-2008

About this time last year I took on the role of Security Manager, an area I had been informally doing for a while up to that point. The past 12 months has flown by and I thought it might be of interest to the community to do a bit of analysis and see how I and the rest of the dotnetnuke security team has performed in this area since it was formalised, and see where we can improve for 2008 and beyond. I've pasted my original planned tasks below, and added notes in italics below the items to give an update.

1. Regularly review the code for any potential issues introduced, or any that surface due to new/popular attack vectors

I only managed one full-scale audit of the core code during 2007, along with a series of smaller reviews on particular areas,but I expect to do an indepth review of the core as the new Cambrian items will introduce a lot of change.

2.Act as 'point-man' for security related issues i.e.any mails directed to [email protected]. The emails we receive typically fall into a few categories 

    Reports of suspected hacks - from time to time people email in when their site has been hacked to see if the problem was dotnetnuke related. Typically I examine the exploit payload/vandalised pages, site contents and IIS logs and see if the issue was in the core or other 3rd party modules (note: almost without exception the hacks are not dotnetnuke related, typically they are server related usually due to missing windows patches)
    Validate vulnerability assemements/penetration reports - sometimes we receive these when a site owner employs a 3rd party to assess their site. I read these, and validate whether the issues are genuine, if they have mitigating factors, and whether they can be fixed. In some cases genunine issues do turn up, at which point we fix the issue and release a bulletin as usual.Users wanting answers to security related questions that they/clients require

 We received over 280 emails and sent out almost 200, mostly dealing with queries about security and reported hacks. As usual almost all of these hacks turned out to be missed patches, default configurations or 3rd party modules. However, we also received 2 major audits, as well as half a dozen smaller audits/reported issues in core code or modules. To date all issues have been resolved. Note: in 2007 we had 1 issue rated as low, 2 medium and 1 critical.

In some cases we also received requests for security enhancements, a number of which ended up in core code, with some still on the table to be added in future releases.

3. Add to and maintain our security documentation (latest versions are available here)

The documentation is overdue an update. I have a number of errata and addition's (in many cases suggested by the community or other core team members)that I will be adding shortly, ideally by end of Q1 2008. I did also get the opportunity to deliver sessions on DotNetNuke security at both SDN and Devconnections. The slides I used there as well as demo script steps will be released once I get a chance to tidy them up.

4. Perform security audits of any projects added to the project tracker. This has worked well, with a number of issues being caught before release already.

This has turned out to be the most time consuming task, with a few dozen audits being performed in 2007. As the project teams have gained experience in this area, the number of failures has dropped, but it continues to be a key area as web vulnerabilities evolve.

5. Plan out security related enhancements. This year I'd like to look at a few areas including :

  • adding page level SSL support
  • enhancing security options in the core
  • breaking out our InputFilters into a provider, so that admins can plug in updates/alternatives easily (diversity is always a plus in the security world)
  • now we've moved to a pure 2.0 codebase, theres a number of 2.0 specific enhancements that will be added in the next releases.
  • adding an application level filter that can block user access based on selected criteria such as user agent or IP.

Despite being a developer in my day job, I probably spent less time coding than any other task, though I did add a few enhancements (checks for default username/password combinations, additional filtering , enhanced XSS checks). Happily a number of these areas were addressed (SSL and application level filtering) by other team members. I'll be submitting a few items as part of our scope planning for Camrian, so hopefully we'll continue to enhance this area.


Comment Form

Only registered users may post comments.


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Davies (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out