just one more geek in a sea of austin techies

March 20, 2014

TIP: Beware nefarious spaces #DotNetNukeGeek

I'm never ceased to be amazed at "holes" in software that's been around for ages -- that is, simple bugs that have had plenty of time to be detected and quashed but somehow aren't.  This week I ran into an oversight in the venerable DotNetNuke (aka "DNN") web platform which is a nicely-featured framework for quickly building .NET-based websites.

DNN has been around for over a decade yet the bug that tried to bite me is a simple oversight in how account usernames are handled...

Untrimmed Names
DNN does not "trim" usernames -- that is, it allows users to enter leading and trailing spaces when choosing a username.  DNN preserves any such spaces as part of the username.  This situation allows to a user accidentally and unknowingly key in a leading (or trailing) space as part of their chosen username.  DNN automatically logs users in when a new account is created so the user thinks everything is fine... until the user returns later and attempts to log in.  Unless the user repeats the accidental blank space snafu, the user has no chance of logging in or even getting a password recovery since the default password recovery configuration requires users to enter their username.

What Does This Look Like (How can I spot it?)
This particular bug is nefarious because an accidental click of the spacebar is an easy misstep but, once an account is created, it is difficult to spot an unintended space as web browsers remove extranous spaces in most web page text.  The username appears normal everywhere it might appear in a typical DNN site.

Fortunately DotNetNuke website administrators can easily spot the leading space(s) issue for most usernames simply by checking the "User Accounts" module, as shown in Figure 1.

Figure 1 -- A username starting with 'm' appears out of place
at the top of the alphabetically-sorted  list.

Note that I say it is easy to spot most usernames but not all.  If a user happens to pick a username that would normally appear first in the list of names then this simple spot-check won't help.  In that case you'll need to go directly to the database to check for the existince of leading spaces.

Simple fix
It would be trivial for the guys that develop DotNetNuke to trim spaces from usernames.  Not being one of those developers, though, your options are more limited.  You *could* alter the code itself (DNN is partially open-source) but that isn't a sure long-term solution if you apply DNN version updates.

A better solution would be to (and I very rarely say this) apply a trigger to the USERS database table.  Personally I dislike triggers as they can easily become a serious code management issue and often make troubleshooting issues radically more complex -- especially when troubleshooting someone else's database.  In this case, however, a trigger is one of the most reliable and least intrusive solutions to the untrimmed usernames issue.

NOTE:  The username is also stored in the table ASPNET_USERS but it is a trimmed version of the username so there is nothing to update.

My recommendation is actually to do nothing.  Many years of handling many DNN-based websites (amounting to tens of thousands of end user accounts) leads me to belive that unintended leading/trailing spaces in usernames is something of a rare event.  Instead, add a copy of this post to your knowledgebase as a just-in-case measure and go about your normal business.  If you are very concerned about the issue you can go the route of adding a trigger or just set up a recurring job to query the USERS table for untrimmed usernames and alert you if/when any are found.

No comments:

Post a Comment