Cathal Connely's session is covering the basic security aspects of DNN and how you can utilize these functions within your own modules. Here we go:
Is DNN Secure, recent issues fixed in 4.7.0, Cathal will be blogging about the recent issues and make note of them in Gemini over the next few days.
DNN can only be as secure as the code itself and the modules installed. Third party modules can be culprits of security issues, check with your third party providers.
Top security issues
- IIS patches not applied
- Running default, anonymous FTP, passwords that haven't been changed
- Third Party Components
- DNN code issues
Security issues are all posted on the DNN security page, full details aren't listed as to not expose how to exploit, but enough information to allow an administrator to understand if the issue may effect them or not.
Many eyes theory doesn't work well in practice. Some companies will pay other providers to conduct security audits, and provide results back to the core team.
Web Application Security, Web Cohort report that 92% of web applications suffer from 1 or more vulnerabilities, which fall into the common groupings of
- Cross-site scripting
- SQL Injection
- Parameter tampering
- Cookie poisoning
- Database server
- Web Server
- Buffer Overflow
http://www.imperva.com/company/news/2004-feb02.html
Types of user input, Querystring, form collection, cookies, sessions, server variables, viewstate
Framework Protection - Cookies, authentication cookie encrypted. 4.3.5 release separates out temporary persistent cookie timeouts. Sessions aren't used within the core framework. Server variables, inputfilter.nomarkup userd where referenced. Viewstate, uses SHA1 to ensure viewstate cannot be tampered with, and 3DES encryption to stop viewing
Filtering user input
- Multiline - is really not a security function, replaces CRLF with <br /> tags
- NoMarkup - replaces HTML markup with html encoding equivalent
- NoScripting - search and strip any suspect HTML from strings.
- NoSQL - calls a function that searches string and strips anything out that might be a SQL injection attack
Cross Site scription
Relies on un-sanitized user input. Malicious script is sent to app, eventually echoed back to user's browser and executes
Commonly gains access to a user's cookie, javascript redirects for phishing.
SQL Injection
Sql is injected with hopes of being run when added to a database, dropping tables, data, etc.
Filtering User Input Demo
SQL injection demo, deleted commonts from a quick shoutbox demo
Starter Kit Module Demo
It looks like my battery is about to die so that is all for Cathal's presentation.
My opinion, Cathal is a great speaker, very enteraining for a 6'3" 45 year old blonde female.
Sorry for getting this posted so late. After we left the conference center we headed to dinner and out on the strip. Now I need to do some tweaks on my presentation for tomorrow morning! Another late night in Vegas