Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Workaround for potential security issue

Recently a security researcher contacted us with details of a potential issue in the Install Wizard functionality of DNN. We were able to validate their findings, and have created a fix which will come in the DNN Platform 7.4.1 release which is due out in a few weeks.

 

Normally we would not provide any advance detail of a security fix as that tends to benefit potential hackers more than users. However, a few days ago we received a report from a user that that one of their sites had been exploited. Based on the information from that user, it seems that their site had been exploited via the same vulnerability. Since that case we had one other report, so it appears that this is being exploited on a limited basis.

 

Whilst the vulnerability itself would be classified as "critical", there are a number of pieces of mitigation such that it only applies to a small subset of users. However we don't feel comfortable with having user sites potentially vulnerable to an issue that is in use "in the wild", so we are suggesting an easy workaround for the issue.

 

To ensure your site’s security, please delete the following files:

InstallWizard.aspx

InstallWizard.aspx.cs

 

Note: when 7.4.1 is released, we will publish a security bulletin for this issue and will detail the version(s) of DNN that are vulnerable, as well as providing more detail on which configurations are potentially vulnerable.

Comments

Geoff Barlow
Hi Cathal,

Thanks for the heads up on this!

Could you tell us what versions this effects and also what effect will it have to delete the files you have mentioned towards upgrading etc. Do we need to keep copies of them in a secure place for upgrade purposes etc.

Thanks,
Geoff.
Geoff Barlow Tuesday, April 28, 2015 2:46 AM (link)
Geoff Barlow
Sorry, forgot to ask...

Is it also a good idea to delete the following file as well:

- install.aspx
- install.aspx.cs / .vb

Regards,
Geoff.
Geoff Barlow Tuesday, April 28, 2015 2:51 AM (link)
Gilles Le Pigocher
Hi,

I'm a little bit late, but you can use a small program I created a few years ago for a similar problem.

CleanCrack: http://1drv.ms/1GDQs56
Sources: http://1drv.ms/1GDQDxk

Unzip cleancrack where you want on your server, open a command window then go to the folder where you have unziped cleancrack. Typical usage is: cleancrack /folder:"C:\inetpub\wwwroot" /patterns:install.aspx,install.aspx.vb,install.aspx.cs /verbose:true
Gilles Le Pigocher Tuesday, April 28, 2015 9:51 AM (link)
cathal connolly
@Geoff At present we're still finishing the investigation into the scope of this. When that happens we make an assumption that all versions are affected until proven otherwise.

As to the affects there are known, those files are only used during installation, and theres no need to back them up
cathal connolly Tuesday, April 28, 2015 12:05 PM (link)
Jan Jonas
I do not know any details about this specific security issue, but isn't the fact that you can access the files /install/... without being logged (in as host admin) a security problem?
Jan Jonas Wednesday, April 29, 2015 4:03 PM (link)
Geoff Barlow
@Cathal Thanks for the info. I understand that you can't really give any more info on the subject and you are doing the best you can to investigate into this.

I am sure that everyone is pleased to see that, even though you can't really say what the 'potential security issue' is, you have given a solution to solve it before it becomes a real problem.

Thanks Cathal!
Geoff Barlow Thursday, April 30, 2015 2:44 AM (link)
Ryan Moore
Folks, for now, two quick questions

1. Quick Rename:
For speed of edits to protect many sites quickly, would it be enough to either delete or rename the whole /Install/ folder to something else?

Then when a patch is ready we can apply and or rename back before applying?

2. Older DNNs:
I assume that when a patch is released for 7.4.x there will be matching patches for 5.6.8 top and 6.top, right?
Ryan Moore Thursday, April 30, 2015 6:12 PM (link)
cathal connolly
@Ryan - 1. we recommend just deleting the installwizard files, as some hosts use install.aspx to do automated upgrades/module installs. If you don't you can delete the entire install folder safely.

2. im afraid not, we are only supporting the 7.x branch as the older branches have been "sunsetted" (see http://www.dnnsoftware.com/wiki/security for the policy). We are currently testing older branches to see if they're vulnerable, when we publish 7.4.1 the security bulletin will list the versions that are potentially affected
cathal connolly Friday, May 1, 2015 9:48 AM (link)
Patrick Ryan
What about UpgradeWizard.aspx and UpgradeWizard.aspx.cs?
Patrick Ryan Friday, May 1, 2015 3:38 PM (link)
William N
Hi Cathal,

Thank you for this notice.

Do you think this post should be referenced on the Security Center page (http://www.dnnsoftware.com/platform/manage/security-center)? I personally only check the community blog once or twice a week for updates but I check the Security Center daily, I'm thinking others might as well.

Thanks again!
William N Sunday, May 3, 2015 6:54 PM (link)
cathal connolly
@William - i'll see if it can be done, though that's a custom page. Note: this is the first (and hopefully only) time we've done a pre-release workaround, so it should not be necessary again
cathal connolly Sunday, May 3, 2015 7:00 PM (link)
Jan Jonas
Hi all,
we've just released our (professional) module "DNN Hardening" (http://store.dnnsoftware.com/home/product-details/dnn-hardening) which should fix the security problem mentioned in this post. After installing the module, the /install directory is protected from being accessed by unauthorized users (i.e. non super users). The module is compatible with all DNN 7.
If there is a demand for a version that is compatible to DNN 6.X, please contact use here https://weweave.net/s/contact.
Jan Jonas Monday, May 4, 2015 2:29 AM (link)
mohammad azarbara
thanks Cathal, for this post
mohammad azarbara Monday, May 4, 2015 4:23 AM (link)
Ryan Moore
BTW, All, Joe Brinkman just wrote about another solution that can help analyze... feels like a great start to a module that will help with general security and could grow to other functions in the future...

http://www.dnnsoftware.com/community-blog/cid/155214/dnn-security-analyzer
http://www.dnnsoftware.com/forge/dnn-security-analyzer

In Joe's description, with this module they wanted, "... In addition to programmatically fixing the Install Wizard issue, we also wanted to provide some tools which would help identify potential security issues with your site configuration. The security analyzer includes three primary tools:
Audit Checks – Scanner Checks – Super User Activity. "

Be sure to check it out. It's set to run on DNN instances from 6.2 up

Ryan Moore Thursday, May 21, 2015 2:38 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out