Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


IIS6 - a word of warning on an issue affecting some websites

In a break from the normal we're reporting on an issue which is not a DotNetNuke problem, but rather an IIS problem. The reason we're doing this is that we've had a few reports of it being exploited in conjunction with very old DotNetNuke websites - specifically versions 3.0 to 4.8.2 that are running on Windows 2003/IIS6 and that have not followed Microsoft security best practices. We'd also like to provide some advice and guidance to the community and not allow any incorrect reports to cause undue concern.

Details of the IIS issue
Whilst some sites are claiming this as a 0-day exploit (http://en.wikipedia.org/wiki/Zero-Day_Exploit), Microsoft regard this issue as a misconfiguration, rather than a problem, though there is some indication they're considering a patch for it. You can read more about the IIS issue @
http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx &
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx

In short, IIS6 can be fooled into thinking a file with an asp extension is actually a safer extension such as jpg/gif. If a folder supports file uploads and also allows scripting files to work. Where this becomes valuable from a DotNetNuke perspective is that an issue existed in versions 3.0-4.8.2 where it was possible for anonymous users to upload files. The scope of this issue was limited as DotNetNuke did some additional validation to check for a list of "safe" extensions such as jpg. However, if it is combined with the IIS issue it's possible to subvert that check for asp pages. Note, this bug does not work with ASP.Net as the framework doesn't recognise files obscured via this technique as .net files.

Please note, if you're running 4.8.3 or higher (or not running on IIS6) this is not a concern from a DotNetNuke perspective. As 4.8.3 has been out for nearly 2 years (released May 23rd 2008), and we've had 20 releases since then we believe theres only a small amount of people on versions that old, but we thought it would be good to let people know just in case they are running very old versions.

For those interested you can read the original security bulletin @ http://www.dotnetnuke.com/News/SecurityPolicy/SecurityBulletinno17/tabid/1162/Default.aspx and a reminder blog we posted last year @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2256/Blast-from-the-past-or-why-its-good-to-keep-up-to-date.aspx

IIS 6/Windows 2003 mitigations
If you're running on IIS6 with a version of DotNetNuke prior to 4.8.3, you can make some configuration changes to ensure this is not an issue. If you've followed the IIS best practices (http://technet.microsoft.com/en-us/library/cc782762(WS.10).aspx) you won't have any problems, but if you don't want to apply all the steps any of the following will provide protection for this (they're listed in order of recommendation)

  • Consider running on a later version of IIS (IIS7/IIS7.5). Many hosts already run on later versions of IIS, as Windows 2003 is nearing the end of it's mainstream support.
  • Remove the asp mapping at the server level - http://technet.microsoft.com/en-us/library/cc875829.aspx details how to disable it at the server level.
  • Remove the asp mapping from the website.
  • Remove the "execute" permissions from the Portals folder (all file uploads occur in this folder and it's subfolders)

 


 

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out