Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does DotNetNuke have validation disabled?

Tags:

security

asp.net

dotnetnuke

Can anyone shed some light on why DotNetNuke comes configured with request validation and event validation disabled? They’re both off at the web.config level for a default install which seems to be a regressive approach. Are there any sound reasons for this and what is the functional impact on DotNetNuke if they’re turned back on?

Obviously appropriate input validation should be happening in code anyway but the native .NET framework behaviour is always a nice fallback.

Update: further thoughts on this in Request Validation, DotNetNuke and design utopia

like image 208
Troy Hunt Avatar asked Feb 25 '10 01:02

Troy Hunt

2 Answers

It turns out the folks at DotNetNuke have disabled this in order to facilitate submission of HTML content through rich text controls. Turning off both request and event validation are by design.

I would have preferred to see this done at the page level where required. Global validation in no way absolves the developer from validating input at each point where it’s captured but I still maintain having this feature is good insurance and disabling it does create a risk. I’d be very interested to see how many DNN sites out there have XSS vulnerabilities as a result of no global validation combined with poor development practice.

like image 65
Troy Hunt Avatar answered Sep 18 '22 12:09

Troy Hunt

Global validation of all input is a bad practice. Like most applications DotNetNuke works on a by function by function basis for input validation.

The creation of a vulnerable code is highly dependent on how the user input is being used. For instance SQL Injection and XSS both rely on very different control characters. SQL injection can be caused by not filtering one of three characters '"\, where as most XSS is caused by not filtering <>. SQL Injection can also be caused by not using control characters, for instance this code is vulnerable to SQL Injection because it doesn't have have quote marks around id:

SqlCommand("SELECT username FROM users where id="+id)

Global input validation such as magic_quotes_gpc under PHP will also fail to prevent this type of attack, and that is one of the reasons why its being removed in PHP6.

like image 45
rook Avatar answered Sep 17 '22 12:09

rook
Sign in to Comment

Related questions

How do you render a User control from a ashx or webservice?
Access denied reading Perfmon counters from a remote machine (Asp.Net)
Using FindControl: Accessing Controls in a Formview
Popup window, how to Hide URL bar in IE8
ASP.NET date and time picker?
ASP.NET MVC route returning 404 without action
ASP.NET DataSource Control "does not have a naming container" exception
Specifying a custom configuration file for CKEditor
Deploying ASP.NET web application
ASP.NET Chat with WCF
ASP.NET MVC wants me to store my SQL Server database files in the App_Data folder -- should I?
asp.net: DetailsView control not interpreting html
What is gpstate file in ASP.NET
How to set the RowStyle of a GridView row depending on a property of the Object that the row is being bound to
Cached item never expiring
JQuery Live() not working
How to assign a value from a C# static method to a label
How to run cleanup code after a call to Crystal Reports ExportToHttpResponse method?
ASP.NET MVC - Get ViewContext from helper method
Flexible ACL in ASP.NET

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!