For the past while we're had a number of reports of unexpected user registration on DNN sites. In some cases these sites still had public registration enabled but had no expectation of new members, suggesting something odd was going on. Further investigation showed that in some cases these unexpected new users proceeded to add content (including links) to their profiles that would be useful to help with SEO for those sites (sometimes referred to as "link juice"). We asked for and received a number of IIS log files and access to users sites, and have been able to establish that there is no issue with registration i.e. these are valid registrations and not a security issue that allowed someone to bypass registration. However, based on the speed and frequency of the registrations it's clear that an automated process ("bot") is being used to register on various DNN sites. This is an unfortunate problem, but is not uncommon with template driven applications such as CMS -for instance Wordpress has had to battle this on a number of occasions.
Initially anecdotal reports stated that enabling a captcha stopped these registrations, but in the past few days that has proven to no longer the case i.e. the anecdotal reports were either wrong or the spammers have updated their bot to calculate the registration captcha correctly. The full process the bot follows appears to be:
1. It searches google for sites that contain “Membership for this website is public”
2. Once a site is found (e.g. mysite.com), it executes a request for mysite.com/default.aspx?ctl=Register
3. Once the registration page loads, the bot pulls down the captcha image and calculates the answer (if a captcha is on the page), fills in the fields and clicks register. It then and updates the profile to contain some links to other sites in an attempt to enhance SEO
What can I do to stop this?
The easiest thing to do to stop registrations is to disable registration by setting it to none (http://www.dnnsoftware.com/help#Documentation/Using_the_Control_Panel/Admin_Console/Site_Settings/User_Account_Settings/Registration_Settings/Enabling_User_Registration.html)
If you cannot do this as you want to support registration of new users, then private registration is recommended. During one of the security team’s periodic audits, we determined that the old default of "public" was sub-optimal, and changed the new default to "private" with the 7.0.0 release, so anyone who has installed DNN since 7.0.0 will already be using "private" and not have anything to worry about.
It's also recommended that you enable registration captcha's - whilst captcha is widely regarded as being broken (https://www.google.hu/?gfe_rd=cr&ei=8m58U6PbIqHc8ge_3YHoDQ#q=captcha+broken), the fact that it works in some cases will at least reduce the number of unexpected user's registering.
I want to offer public registration, is there anything I can do?
Whilst we work on this issue, there are a few things you may consider.
1. Consider altering the "Membership for this website is public" text in the PublicMembership.Text node in App_GlobalResources\SharedResources.resx. Whilst this doesn't solve the issue, it offers a form of "security by obscurity".
2. There are reports that the bot attempts passwords with a length of 7-10 characters. Changing the minimum password length to 11 (or above) via the minRequiredPasswordLength parameter in web.config stop's these automated registrations (though clearly the bot authors could update their bot for longer lengths). Note: this is intended for a new install, I believe that it may lock out users with shorter passwords in existing installs.
3. If using IIS7 or above, you can use request filtering to block requests for ctl=Register - see http://www.dnnsoftware.com/forums/forumid/108/postid/501219/scope/posts#501219 for an example.
4. Some anecdotal reports state that added an additional, required field to your profile blocks the bot - this would make sense as it's targeting the default registration page. As such a new required profile property will likely halt the unwanted registrations (see help.dnnsoftware.com - search for "Managing your User Profile")
5. Change the registration page and block requests to the default registration - see http://www.dnnsoftware.com/wiki/page/replacing-registration-page-with-custom-and-blocking-the-default-register-page
6. A community member (interactivewebs) has created a module which replaces the built in Captcha with the much more difficult to crack reCaptcha one- see here
I have a custom registration page, is this a problem for me?
This would not normally be a problem as the bot is targeting the default DNN registration page. However there was a bug in the logic that handled redirects to custom registration pages - https://dnntracker.atlassian.net/browse/DNN-4842 . This bug was fixed in 7.2.2, so upgrading to that version will resolve it.
What else are DNN doing about this?
We continue to investigate and analyse the various reports, and make plans to resolve it. We're currently considering various measures to make it much harder (e.g. update/replace the captcha, remove/control the ?ctl=Register logic), as well as to make it pointless for spammers e.g. allow sites to set control whether users can use html in their profile, and hope to roll out some solutions to this soon.