Register  Login  
  July 29, 2010  
Search_Blog Minimize
Print  

Blog_Archive Minimize
Print  

Home

Modules
       SQLGridSelectView
          User Guide
          Examples
             Stored Procedure
             Google Scan
             Referrals
             Links
             Inter-module Communication 
       MenuLinks
          User's Guide
       SQLChart
          User Guide
          Sample Chart
          Sample Chart - Columns
          Sample Chart - Columns - 3D
          Sample Chart - Area
          Sample Chart - Stacked Column
          Sample Chart - Bar
       T-Minus V5.0
          User Guide
       XMLdb V5.5
          User Guide
       Simple Query
          Users Guide
       ThermoChart
          User Guide

Blog

Forum

Subscriptions

Free Modules
       SQLGridSelectedView V4.1
          User Guide
          Examples
             Stored Procedure
             Google Scan
             Referrals
             Links
          DownLoads
       T-Minus V3.1
          DownLoads
       XMLdb V3.5
          Downloads
          NorthWind Customer Paging Example
       SQLChart V3.0
          Downloads
       IFrame64 V1.0
          Downloads
          User Guide
       Other Files
          Download
Blog    
View_Blog Minimize

IFrame64 - New Free Module available from Tressleworks

Jul 18

Written by: host
Saturday, July 18, 2009 7:42 PM 

After a security review of an internal site, a concern was raised that passing parameters to other pages in cleartext where the parameter name was rather reveling was weak from a security point of view.  The pages where the concern was raised all used DotNetNuke’s IFrame module, and in fact the parameters were passed in cleartext.  For example, several of the target Frames required that the user’s username be passed.  The IFrame module would create a URL like www.othersite.com?username=myusername. This meant that a user could potentially revise the URL with a different username and spoof the real username.  I was required to “blur” the parameters being passed so that someone looking for specific parameters would no be able to determine what was being passed.

I developed IFrame64 as a super-set of the DotNetNuke IFrame module that will allow users to easily blur the parameters being passed to other pages / documents / sites.  IFrame64 can create a URL like www.othersite.com?x=VXNlcm5hbWU9aG9zdA==.  Where the VXNlcm5hbWU9aG9zdA== is a Base64 encoded string containing username=myusername.

The module extends the existing IFrame with several new options:

The Display URL option allows the user to see the URL passed to the other page.  The option is helpful in testing and debugging.  This option is not recommended for production and should be disabled prior to moving to production.

The Must be Logged In option allows the user to define a message to be display when an anonymous user gains access to the page where this module located and the option is enabled.

Encoding of parameter is set to none by default, however this can be changed to Base64 encoding or to Encryption.  The Encryption is based on the site keys associated with each individual Dotnetnuke site. 

Create a Single Parameter when enabled will create a single parameter for all the key-values pairs defined.  All the key-value pairs will be combined into a single string and Base64 Encoded.

Note: The receiving page / site / document must be able to interrupt the encode/encrypted data.  You may need to revise the target page / site / document accordingly.
 

The following is an example of creating a single blurred parameter (name blurred - can be whatever user defines)

Highlighted in yellow is the URL passed to the frame.

Since IFrame64 is based on the DotNetNuke IFrame module, they share the IFrame_Parameters database table.  Therefore, the IFrame module MUST be installed prior to installing the IFrame64 module.

You can view download the module from Tressleworks from here 

Enjoy
Paul.

Trackback Print
Location: Blogs DNN Musings
Tags:

3 comment(s) so far...

Re: IFrame64 - New Free Module available from Tressleworks

Thanks for posting. My favourite topic in programming. I've been engaged in investigating this issue. Like everything about it, especially an option which is rather helpful in testing and debugging, that is the Display URL option that allows the user to see the URL passed to the other page. I find it pretty good, thanks.

By Torrent File on   Tuesday, December 22, 2009 4:12 AM

Re: IFrame64 - New Free Module available from Tressleworks

Cool* Blog Stuff ... thank you for information !

By Joy on   Tuesday, January 19, 2010 4:03 AM

Re: IFrame64 - New Free Module available from Tressleworks

Cool* Blog Stuff ... thank you for information !

By Joy on   Tuesday, January 19, 2010 4:10 AM

Your name:
Your email:
(Optional) Email used only to show Gravatar.
Your website:
Title:
Comment:
Security Code
Enter the code shown above in the box below
Add Comment   Cancel 

Blog_List Maximize
Print  

  Home | Blog | Forum | Subscriptions | Free Modules   Page generated in 0.0701008 seconds.
  Copyright 2010 by TressleWorks   Terms Of Use | Privacy Statement