DotNetNuke Gem



  • <FONT size=2>

    </FONT><FONT color=#0000ff size=2><FONT color=#000000>Found in DotNetNuke.Services.Url.FriendlyUrl.DNNFriendlyUrlProvider</FONT></FONT>

    <FONT color=#0000ff size=2><FONT color=#000000>Lets make double sure that the attribute hasn't changed.  Gotta love people going nuts with copy/paste.</FONT></FONT>

    <FONT color=#0000ff size=2>Dim</FONT><FONT size=2> objProvider </FONT><FONT color=#0000ff size=2>As</FONT><FONT size=2> Provider = </FONT><FONT color=#0000ff size=2>CType</FONT><FONT size=2>(_providerConfiguration.Providers(_providerConfiguration.DefaultProvider), Provider)

    </FONT><FONT color=#008000 size=2>' Read the attributes for this provider

    </FONT><FONT size=2>

    </FONT><FONT color=#0000ff size=2>If</FONT><FONT size=2> Convert.ToString(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>)) <> </FONT><FONT color=#a31515 size=2>""</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Then
    </FONT><FONT size=2>   _includePageName = </FONT><FONT color=#0000ff size=2>Boolean</FONT><FONT size=2>.Parse(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>))
    </FONT><FONT color=#0000ff size=2>Else
    </FONT><FONT size=2>   _includePageName = </FONT><FONT color=#0000ff size=2>True
    </FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>If

    </FONT><FONT size=2>

    </FONT><FONT color=#0000ff size=2>If</FONT><FONT size=2> Convert.ToString(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>)) <> </FONT><FONT color=#a31515 size=2>""</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Then
       </FONT><FONT size=2>_includePageName = </FONT><FONT color=#0000ff size=2>Boolean</FONT><FONT size=2>.Parse(objProvider.Attributes(</FONT><FONT color=#a31515 size=2>"includePageName"</FONT><FONT size=2>))
    </FONT><FONT color=#0000ff size=2>Else
       </FONT><FONT size=2>_includePageName = </FONT><FONT color=#0000ff size=2>True
    </FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>If

    </FONT>


  • If that's the worst thing you find in a *nuke system, I would be very impressed. *nuke is the Internet Explorer of, well, whatever the hell *nuke is supposed to do.



  • @Dragnslcr said:

    If that's the worst thing you find in a *nuke system, I would be very impressed. *nuke is the Internet Explorer of, well, whatever the hell *nuke is supposed to do.

    *Nuke is the premiere cross-platform remote-login solution for PHP.


  • Considered Harmful

    I had the mispleasure of working with DotNetNuke for over a year, and I have to say this WTF is minor compared to the rest of the codebase.  Try setting your debugger to break on exception, and let it run.  I counted over 250 exceptions thrown and swallowed on a regular page view with no actual errors; and that was only debugging the main DotNetNuke assembly.

     They use exceptions for flow control.  Like So:

    Try

    Do

    ' Something that eventually throws

    While True

    Catch ex As Exception

    End Try



  • I didn't even know another CMS software was named after phpnuke. That's like calling a pro-peace organization " the Kim Jong Il project". Needless to say, that's not the best foundation to start with, but as I read these comments, it seems the "phpnuke spirit" was respected and that in some way, the "developers" of this application can be proud of themselves.

     I still have to maintain a phpnuke portal, which gets hacked from time to time, until I have some time to migrate to something else ( most probably joomla, and well, if you think it's another WTF, go ahead and tell me, I don't want to live another security nightmare. Drupal seems better but I think it'll scare the non-geek site owners ).

     phpnuke is so WTFed that you can't survive without some third-party WTF patch layer called "Fortress". Its role is quite simple : since phpnuke almost never escapes arguments and dumps them directly in sql queries ( which are, indeed, spread across dozens of php files ), in a desperate gesture fortress tries to escape them or at least redirects to a retarded "ahaha gotcha lamer you've been banned, webmaster will be notified". This is done via a whole mess of headers to add to all files, which triggers regexps on the provided url ( all of which wouldn't be necessary if args were escaped in queries, as in any sane web app. ). And, yes, only the url is checked. I'm sure a ton of exploits are still possible via spoofed posts or cookies.

     An example of retarded security measure is this file. It's distributed as is, as a part of an open source software. The source speaks for itself : no comment.



  • The hardcoded bot useragent list is priceless.


Log in to reply