DotNetNuke Gem
-
<FONT size=2></FONT><FONT color=#0000ff size=2><FONT color=#000000>Found in DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider</FONT></FONT>
<FONT color=#0000ff size=2><FONT color=#000000>Lets make double sure that the attribute hasn't changed. Gotta love people going nuts with copy/paste.</FONT></FONT>
<FONT color=#0000ff size=2>Dim</FONT><FONT size=2> objProvider </FONT><FONT color=#0000ff size=2>As</FONT><FONT size=2> Provider = </FONT><FONT color=#0000ff size=2>CType</FONT><FONT size=2>(_providerConfiguration.Providers(_providerConfiguration.DefaultProvider), Provider)
</FONT><FONT color=#008000 size=2>' Read the attributes for this provider
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>If</FONT><FONT size=2> Convert.ToString(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>)) <> </FONT><FONT color=#a31515 size=2>""</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Then
</FONT><FONT size=2>
</FONT><FONT size=2> _includePageName = </FONT><FONT color=#0000ff size=2>Boolean</FONT><FONT size=2>.Parse(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>))
</FONT><FONT color=#0000ff size=2>Else
</FONT><FONT size=2> _includePageName = </FONT><FONT color=#0000ff size=2>True
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>If</FONT><FONT color=#0000ff size=2>If</FONT><FONT size=2> Convert.ToString(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>)) <> </FONT><FONT color=#a31515 size=2>""</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Then
</FONT>
</FONT><FONT size=2>_includePageName = </FONT><FONT color=#0000ff size=2>Boolean</FONT><FONT size=2>.Parse(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>))
</FONT><FONT color=#0000ff size=2>Else
</FONT><FONT size=2>_includePageName = </FONT><FONT color=#0000ff size=2>True
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>If
-
If that's the worst thing you find in a *nuke system, I would be very impressed. *nuke is the Internet Explorer of, well, whatever the hell *nuke is supposed to do.
-
@Dragnslcr said:
If that's the worst thing you find in a *nuke system, I would be very impressed. *nuke is the Internet Explorer of, well, whatever the hell *nuke is supposed to do.
*Nuke is the premiere cross-platform remote-login solution for PHP.
-
I had the mispleasure of working with DotNetNuke for over a year, and I have to say this WTF is minor compared to the rest of the codebase. Try setting your debugger to break on exception, and let it run. I counted over 250 exceptions thrown and swallowed on a regular page view with no actual errors; and that was only debugging the main DotNetNuke assembly.
They use exceptions for flow control. Like So:
Try
Do
' Something that eventually throws
While True
Catch ex As Exception
End Try
-
I didn't even know another CMS software was named after phpnuke. That's like calling a pro-peace organization " the Kim Jong Il project". Needless to say, that's not the best foundation to start with, but as I read these comments, it seems the "phpnuke spirit" was respected and that in some way, the "developers" of this application can be proud of themselves.
I still have to maintain a phpnuke portal, which gets hacked from time to time, until I have some time to migrate to something else ( most probably joomla, and well, if you think it's another WTF, go ahead and tell me, I don't want to live another security nightmare. Drupal seems better but I think it'll scare the non-geek site owners ).
phpnuke is so WTFed that you can't survive without some third-party WTF patch layer called "Fortress". Its role is quite simple : since phpnuke almost never escapes arguments and dumps them directly in sql queries ( which are, indeed, spread across dozens of php files ), in a desperate gesture fortress tries to escape them or at least redirects to a retarded "ahaha gotcha lamer you've been banned, webmaster will be notified". This is done via a whole mess of headers to add to all files, which triggers regexps on the provided url ( all of which wouldn't be necessary if args were escaped in queries, as in any sane web app. ). And, yes, only the url is checked. I'm sure a ton of exploits are still possible via spoofed posts or cookies.An example of retarded security measure is this file. It's distributed as is, as a part of an open source software. The source speaks for itself : no comment.
-
The hardcoded bot useragent list is priceless.