I have a client site that is getting a load of users registered that are very obviously bogus. The site uses xmod forms on 4 pages but those forms look to be immune to SQL injection. I have thought maybe this was a cross site scripting attack but not sure what vector may have been used.
Can anyone tell me or point me to documentation of specific attack vectors for DNN 6 so I can stop the madness.
Thanks
On
From what i read, DNN team says they're immune to SQL Injections but you do have to or upgrade or enter the code yourself so it depends on the site and what year is it from.
Official response to this subject from the DNN team: "Recently we've received a number of emails to the [email protected] alias from users who's sites have suffered from sql injection enquiring whether DotNetNuke has any sql injection issues. The short answer is no. For sql injection attacks to work typically the code needs to execute dynamic sql i.e sql statements that are built up via concatentation and executed directly against the database or else within a stored procedure that executes the statement via EXEC or sp_execute. As a matter of policy we avoid using both those approaches and instead only use stored procedures with parameters, so default installations of DotNetNuke and any core modules are not vulnerable to sql injection attacks."
Upgrade to DNN7?
Are you sure they aren't just using an automated script to register accounts?
Security bulletins http://www.dnnsoftware.com/Platform/Manage/Security-Center