Products

Solutions

Learn More

Partners

Community

Blog

About

DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


9.0.2 Release and Security Patch

Today we are releasing the 9.0.2 version of both DNN Platform and Evoq. This release addresses an important security issue that reveals user’s details. Along with the 9.0.2 release, we are also providing a security patch to help fix this problem in older versions of DNN and Evoq.

What’s the vulnerability?

It was brought to our attention that one can potentially uncover the following user’s details on a typical DNN or Evoq install:
1. Email Address
2. Display Name
3. User Name

Can additional profile properties be uncovered?

Only when you are using Custom “Registration Form Type” as opposed to the Standard type. In this case, only the profile properties defined in “Registration Fields” can be uncovered.

Can you elaborate a bit more about this custom mode?

A typical DNN or Evoq contains close to 20 profile properties, such as first name, last name, city, region, country, phone number, etc. In theory, one can configure the registration form to have any or all of these fields. However, most sites only have a handful of registration fields in order to simplify the process for users. This vulnerability will allow anyone to uncover most of the registration properties present in the form. Using the standard configuration, only the three items noted earlier are discoverable.

Can date of birth be uncovered?

Date of birth is not defined as a profile property in general, with exception of Evoq Engage, where it’s present as a profile property. Since the date of birth was defined as “Date” type, it cannot be uncovered.

What about the Password?

Passwords cannot be uncovered.

What about Street Address?

It depends on whether you have been using custom registration mode and that you have those properties (street, city, region, country, etc.) present in the registration form. 

What’s the minimum data that can be uncovered?

The Email address. The custom mode requires a minimum profile property of Email to be present for registration. 

Can a Super User be created with this vulnerability?

No. It is not possible to make any changes to a site with this vulnerability. Only limited profile properties outlined above can be displayed.

Is this vulnerability present in 3rd party modules?

Our testing indicated that it was present in at least one 3rd party registration module. We have notified the vendor and are awaiting them to do a new release. We cannot reveal the name of the module here. If you are using a 3rd party registration module, then we strongly suggest that you contact the vendor and inquire about this vulnerability.

I am a vendor of such a module, what should I do?

I have created a custom module, WHAT SHOULD I DO?

Contact DNN Corp’s security team to obtain more details about the vulnerability so you can provide an updated module. The security team can be reached by email: [email protected]

I create users via an API, Am I AFFECTED BY THIS?

There is no vulnerability around creation of users. You can continue to create Users via APIs or stored procedure. Since the vulnerability exist around the registration system, you are still highly recommended to either apply the patch or upgrade to latest version of DNN / Evoq.

Which versions are affected by this?

Per our testing, this vulnerability is present in 6.2 and above.

Does it affect both DNN Platform and Evoq?

Yes, it affects both.

What’s the risk if I don’t patch or upgrade?

An unauthorized use can obtain profile properties such as Display Name, User Name, Email Addresses, etc. of ALL your users, including Super Users. It is important that you apply the patch or upgrade to the latest versions.

Should I upgrade to 9.0.2 and ALSO apply the patch?

No. Only one is sufficient. The patch is not required once you have upgraded to 9.0.2 or above. The latest release at the time of writing is 9.0.2. Our recommendation is to always upgrade to the latest version. 

What does the patch do?

The patch updates the registration system to correct the vulnerability. It also creates a test page under Host to verify whether that you are patched.

WHAT versions are supported by the patch?

DNN and Evoq version 6.2 till 9.0.1.

Does the patch fix 3rd party modules?

No. If you are using 3rd party registration module, you should contact the vendor.

Will the vulnerability in 3rd party module automatically be fixed after upgrade to 9.0.2?

Our testing indicates that the 3rd party modules should get automatically resolved. However, you should contact the vendor just to make sure.  9.0.2 certainly fixes the problem when no 3rd party registration module is being used.

How can I access this host page in 9.0.0 and 9.0.1?

Login as a Super User (not Admin), click “DNN Security Hot Fix 1” link under Manage menu in the Persona Bar.

I don’t understand what I am seeing under this new Host page, can you explain?

As noted earlier, the patch creates a page under Host menu. Depending on your site’s configuration, there can be three possible outcomes:
1. You are patched. This is to indicate that we feel your site is patched. However, if you use a 3rd party registration module on your site, then we are not in a position to say for sure. If you are not using a 3rd party registration module, then we are pretty confident that you are patched.

You are patched message

2. You may not be patched. The moment we detect that you have a custom registration page defined and that the page contains a non-standard DNN’s registration module, we flag that as “may not be patched”. We also list the sites where we find use of non-standard registration module. In this case, you should contact your module vendor.

You may not be patched message 1

3. You may not be patched. There is another situation where you might not be using a custom registration page, but a 3rd party module might have modified the default entry in the ModuleControls table for “Register” record. We flag this as “may not be patched” as well, and you should contact the vendor as well.
You may not be patched message 1

Can I uninstall this patch after the fact?

You may. However, the fix applied still remains in affect. 

What happens if my site breaks after application of this patch?

We suggest that you apply this patch in a test environment, run some tests and then apply in production. If your site still breaks, then we recommend that you post a comment here. Also, remember to take a backup of your production site before applying the patch. 

Can this patch be overwritten if I upgrade DNN or Evoq at a later day?

As long as you upgrade to DNN or Evoq 9.0.2 and above, you will remain protected. However, if you upgrade to an older version (e.g. 8.5), the patch will be overwritten. We recommend you visit the above host page again to reapply the patch automatically. In any case, you still run the risk if you are using a 3rd party registration module. You should contact the vendor and confirm.

I am an Evoq customer, how can I get more details

I am a DNN Community user, how can I get more details

There are a few ways to interact further:
1. Use comments in this blog
2. Ask a question in the forums: http://www.dnnsoftware.com/forums

What if I have further security related questions

You are more than welcome to reach out to DNN’s Security team by sending an email to [email protected]

 

HOW DO I APPLY PATCH?

Patch is a standard DNN module, that can be installed as any other DNN extension. You must be a Super User to do that though.

WHERE CAN I DOWNLOAD 9.0.2 FROM?

You can download Install and Upgrade package of DNN Platform 9.0.2 from GitHub Repository. Evoq customers can download from here


WHERE CAN I DOWNLOAD Patch from?

You can download the "DNN Security Hot Fix 1"  from GitHub Repository. Here is the direct link:  https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.0.2/DNNSecurityFix1_01.00.00_Install.zip

Comments

Charles
The article mentions version 6 on up being affected, but only has the specific steps to patch if you go to version 9.

If I am version 8 and not ready to go to 9, can I apply a patch and if so, where do I get it?

Thanks,
Charles
Charles Saturday, February 18, 2017 3:51 PM (link)
David Jamell
Does this security issue affect sites that have registrations disabled?
David Jamell Sunday, February 19, 2017 11:29 AM (link)
Adam Lohne
I applied this patch to my test DNN Platform version 8.0.4 environment without error.

When I navigate to the 'DNN Security Hot Fix 1' link I receive the warning about having a 3rd party registration installed, but I do not have any 3rd party registration modules installed. In addition I have public registration set to None for all of the websites that are listed in the warning. All my users are added by a DNN Administrator, not via the DNN registration page.
Adam Lohne Monday, February 20, 2017 1:18 PM (link)
Bill Benjamin
I'm trying to understand the impact to clients. Does this affect anyone who either has a custom authentication provider that performs auto registration? Does this affect anyone who has registration type set to "private" or "none"?
Bill Benjamin Monday, February 20, 2017 7:29 PM (link)
Larry Daniele
I just applied the patch to three DNN sites. In Host > "DNN Security HotFix 1", two of them reported "WARNING: YOU MAY NOT BE PATCHED." I traced the problem down to the fact that the two problem sites had Admin > Site Settings > Advanced Settings > Registration Page set to a page named "Register". The page was a text-only page explaining our "no registration policy". It had absolutely NO third party registration module on the page. So in this case, I believe the warning message was a "false positive" and should be fixed. Otherwise, the patch went smoothly. Thanks!
Larry Daniele Sunday, February 26, 2017 3:30 PM (link)
Gus Beare
Can you tell me how this vulnerability is carried out? In loose terms. I want to know if a site with no public registration and only trusted users is ok.
Gus Beare Wednesday, March 1, 2017 7:01 PM (link)
Ash Prasad
@Gus - If "User Registration" under Site Settings > User Account Settings is set to None, then this vulnerability does not apply.
@Larry - That might be the case. However, you must do the above (what I wrote to @Gus) to be 100% sure that you are protected.
@David Risner - You are still vulnerable if it is set to Private.
@[email protected] Jamell - Pls read the comment for @Gus
@Charles - The patch is a simple module. You should follow module installation instructions to install it (Host > Extensions). Patch works from 6.2 till 9.0.1
Ash Prasad Saturday, March 11, 2017 12:08 AM (link)

Comment Form

Only registered users may post comments.

NewsArchives


(iJungleboy) Daniel Mettler (142)
Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (28)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (29)
Cuong Dang (21)
Daniel Bartholomew (2)
Dave Buckner (2)
David Poindexter (3)
David Rodriguez (2)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (9)
George Alatrash (1)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (272)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (52)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (38)
Will Strohl (164)
William Severance (5)
DNN Launch Webinar
REGISTER NOW
DNN Launch Webinar
REGISTER NOW
DNN Launch Webinar
REGISTER NOW