In a break from the normal we're reporting on an issue which is not a DotNetNuke problem, but rather an IIS problem. The reason we're doing this is that we've had a few reports of it being exploited in conjunction with very old DotNetNuke websites - specifically versions 3.0 to 4.8.2 that are running on Windows 2003/IIS6 and that have not followed Microsoft security best practices. We'd also like to provide some advice and guidance to the community and not allow any incorrect reports to cause undue concern.
Details of the IIS issue
Whilst some sites are claiming this as a 0-day exploit (http://en.wikipedia.org/wiki/Zero-Day_Exploit), Microsoft regard this issue as a misconfiguration, rather than a problem, though there is some indication they're considering a patch for it. You can read more about the IIS issue @
http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx &
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
In short, IIS6 can be fooled into thinking a file with an asp extension is actually a safer extension such as jpg/gif. If a folder supports file uploads and also allows scripting files to work. Where this becomes valuable from a DotNetNuke perspective is that an issue existed in versions 3.0-4.8.2 where it was possible for anonymous users to upload files. The scope of this issue was limited as DotNetNuke did some additional validation to check for a list of "safe" extensions such as jpg. However, if it is combined with the IIS issue it's possible to subvert that check for asp pages. Note, this bug does not work with ASP.Net as the framework doesn't recognise files obscured via this technique as .net files.
Please note, if you're running 4.8.3 or higher (or not running on IIS6) this is not a concern from a DotNetNuke perspective. As 4.8.3 has been out for nearly 2 years (released May 23rd 2008), and we've had 20 releases since then we believe theres only a small amount of people on versions that old, but we thought it would be good to let people know just in case they are running very old versions.
For those interested you can read the original security bulletin @ http://www.dotnetnuke.com/News/SecurityPolicy/SecurityBulletinno17/tabid/1162/Default.aspx and a reminder blog we posted last year @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2256/Blast-from-the-past-or-why-its-good-to-keep-up-to-date.aspx
IIS 6/Windows 2003 mitigations
If you're running on IIS6 with a version of DotNetNuke prior to 4.8.3, you can make some configuration changes to ensure this is not an issue. If you've followed the IIS best practices (http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx) you won't have any problems, but if you don't want to apply all the steps any of the following will provide protection for this (they're listed in order of recommendation)
- Consider running on a later version of IIS (IIS7/IIS7.5). Many hosts already run on later versions of IIS, as Windows 2003 is nearing the end of it's mainstream support.
- Remove the asp mapping at the server level - http://technet.microsoft.com/en-us/library/cc875829.aspx details how to disable it at the server level.
- Remove the asp mapping from the website.
- Remove the "execute" permissions from the Portals folder (all file uploads occur in this folder and it's subfolders)