Recently a security researcher contacted us with details of a potential issue in the Install Wizard functionality of DNN. We were able to validate their findings, and have created a fix which will come in the DNN Platform 7.4.1 release which is due out in a few weeks.
Normally we would not provide any advance detail of a security fix as that tends to benefit potential hackers more than users. However, a few days ago we received a report from a user that that one of their sites had been exploited. Based on the information from that user, it seems that their site had been exploited via the same vulnerability. Since that case we had one other report, so it appears that this is being exploited on a limited basis.
Whilst the vulnerability itself would be classified as "critical", there are a number of pieces of mitigation such that it only applies to a small subset of users. However we don't feel comfortable with having user sites potentially vulnerable to an issue that is in use "in the wild", so we are suggesting an easy workaround for the issue.
To ensure your site’s security, please delete the following files:
InstallWizard.aspx
InstallWizard.aspx.cs
Note: when 7.4.1 is released, we will publish a security bulletin for this issue and will detail the version(s) of DNN that are vulnerable, as well as providing more detail on which configurations are potentially vulnerable.