Learn More





DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.

Workaround for potential security issue

Recently a security researcher contacted us with details of a potential issue in the Install Wizard functionality of DNN. We were able to validate their findings, and have created a fix which will come in the DNN Platform 7.4.1 release which is due out in a few weeks.


Normally we would not provide any advance detail of a security fix as that tends to benefit potential hackers more than users. However, a few days ago we received a report from a user that that one of their sites had been exploited. Based on the information from that user, it seems that their site had been exploited via the same vulnerability. Since that case we had one other report, so it appears that this is being exploited on a limited basis.


Whilst the vulnerability itself would be classified as "critical", there are a number of pieces of mitigation such that it only applies to a small subset of users. However we don't feel comfortable with having user sites potentially vulnerable to an issue that is in use "in the wild", so we are suggesting an easy workaround for the issue.


To ensure your site’s security, please delete the following files:




Note: when 7.4.1 is released, we will publish a security bulletin for this issue and will detail the version(s) of DNN that are vulnerable, as well as providing more detail on which configurations are potentially vulnerable.


Geoff Barlow
Hi Cathal,

Thanks for the heads up on this!

Could you tell us what versions this effects and also what effect will it have to delete the files you have mentioned towards upgrading etc. Do we need to keep copies of them in a secure place for upgrade purposes etc.

Geoff Barlow Tuesday, April 28, 2015 2:46 AM (link)
Geoff Barlow
Sorry, forgot to ask...

Is it also a good idea to delete the following file as well:

- install.aspx
- install.aspx.cs / .vb

Geoff Barlow Tuesday, April 28, 2015 2:51 AM (link)
Gilles Le Pigocher

I'm a little bit late, but you can use a small program I created a few years ago for a similar problem.


Unzip cleancrack where you want on your server, open a command window then go to the folder where you have unziped cleancrack. Typical usage is: cleancrack /folder:"C:\inetpub\wwwroot" /patterns:install.aspx,install.aspx.vb,install.aspx.cs /verbose:true
Gilles Le Pigocher Tuesday, April 28, 2015 9:51 AM (link)
cathal connolly
@Geoff At present we're still finishing the investigation into the scope of this. When that happens we make an assumption that all versions are affected until proven otherwise.

As to the affects there are known, those files are only used during installation, and theres no need to back them up
cathal connolly Tuesday, April 28, 2015 12:05 PM (link)
Jan Jonas
I do not know any details about this specific security issue, but isn't the fact that you can access the files /install/... without being logged (in as host admin) a security problem?
Jan Jonas Wednesday, April 29, 2015 4:03 PM (link)
Geoff Barlow
@Cathal Thanks for the info. I understand that you can't really give any more info on the subject and you are doing the best you can to investigate into this.

I am sure that everyone is pleased to see that, even though you can't really say what the 'potential security issue' is, you have given a solution to solve it before it becomes a real problem.

Thanks Cathal!
Geoff Barlow Thursday, April 30, 2015 2:44 AM (link)
Ryan Moore
Folks, for now, two quick questions

1. Quick Rename:
For speed of edits to protect many sites quickly, would it be enough to either delete or rename the whole /Install/ folder to something else?

Then when a patch is ready we can apply and or rename back before applying?

2. Older DNNs:
I assume that when a patch is released for 7.4.x there will be matching patches for 5.6.8 top and, right?
Ryan Moore Thursday, April 30, 2015 6:12 PM (link)
cathal connolly
@Ryan - 1. we recommend just deleting the installwizard files, as some hosts use install.aspx to do automated upgrades/module installs. If you don't you can delete the entire install folder safely.

2. im afraid not, we are only supporting the 7.x branch as the older branches have been "sunsetted" (see for the policy). We are currently testing older branches to see if they're vulnerable, when we publish 7.4.1 the security bulletin will list the versions that are potentially affected
cathal connolly Friday, May 01, 2015 9:48 AM (link)
Patrick Ryan
What about UpgradeWizard.aspx and UpgradeWizard.aspx.cs?
Patrick Ryan Friday, May 01, 2015 3:38 PM (link)
William N
Hi Cathal,

Thank you for this notice.

Do you think this post should be referenced on the Security Center page ( I personally only check the community blog once or twice a week for updates but I check the Security Center daily, I'm thinking others might as well.

Thanks again!
William N Sunday, May 03, 2015 6:54 PM (link)
cathal connolly
@William - i'll see if it can be done, though that's a custom page. Note: this is the first (and hopefully only) time we've done a pre-release workaround, so it should not be necessary again
cathal connolly Sunday, May 03, 2015 7:00 PM (link)
Jan Jonas
Hi all,
we've just released our (professional) module "DNN Hardening" ( which should fix the security problem mentioned in this post. After installing the module, the /install directory is protected from being accessed by unauthorized users (i.e. non super users). The module is compatible with all DNN 7.
If there is a demand for a version that is compatible to DNN 6.X, please contact use here
Jan Jonas Monday, May 04, 2015 2:29 AM (link)
mohammad azarbara
thanks Cathal, for this post
mohammad azarbara Monday, May 04, 2015 4:23 AM (link)
Ryan Moore
BTW, All, Joe Brinkman just wrote about another solution that can help analyze... feels like a great start to a module that will help with general security and could grow to other functions in the future...

In Joe's description, with this module they wanted, "... In addition to programmatically fixing the Install Wizard issue, we also wanted to provide some tools which would help identify potential security issues with your site configuration. The security analyzer includes three primary tools:
Audit Checks – Scanner Checks – Super User Activity. "

Be sure to check it out. It's set to run on DNN instances from 6.2 up

Ryan Moore Thursday, May 21, 2015 2:38 PM (link)

Comment Form

Only registered users may post comments.


2sic Daniel Mettler (124)
Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (21)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (203)
Chris Paterra (55)
Clinton Patterson (28)
Cuong Dang (21)
Daniel Bartholomew (2)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (6)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (269)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (52)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (37)
Will Strohl (163)
William Severance (5)
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?