Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


DNN Security Analyzer

A few weeks ago, the DNN Security team released blog post describing a workaround for a recently discovered vulnerability in the DNN Install Wizard. While the fix is simple, we know that there will still be users who didn't see the blog post or who were hesitant to implement the workaround since it meant deleting core platform files.

It has been our practice to only provide CMS security fixes in a full DNN build, but given the critical nature of this issue and some delays in releasing DNN 7.4.1 we felt it was worth implementing the suggested workaround in a module which would work for any site running DNN Platform 6.2.0 or better. We limited this module to later DNN releases because we felt that security issues in releases prior to 6.2.0 were significant enough that patching this one issue would not be sufficient to adequately protect users. If you are running a version prior to DNN 6.2.0 you should upgrade to one of the latest releases to ensure your site is adequately secured.

In addition to programmatically fixing the Install Wizard issue, we also wanted to provide some tools which would help identify potential security issues with your site configuration. The security analyzer includes three primary tools:

  1. Audit Checks – This is a set of checks which looks at your site configuration and recommends actions you can take to provide additional security.
  2. Scanner Checks – This is a tool which allows you to search your database and file system for unwanted content and flag where that content might be appearing in your site. This is often useful when you find pages on your site have been defaced and you want to ensure that no other pages have been similarly tampered with.
  3. Super User Activity – This is a quick way to see all of the Super User accounts and to determine when they were created and when they were last used.

While most of this functionality is still somewhat rudimentary, it provides a foundation for future releases which will more fully analyze your site for problems and provide prescriptive guidance on how to further harden your installation. The Security Analyzer will be included with DNN Platform 7.4.1 and will become a standard part of all releases going forward.

We have a backlog of enhancements that we are working on for future releases of this module which should aid in helping you keep your DNN websites secure. If there are additional features you would like to see, just post them to the DNN Issue tracker.

You can download the Security Analyzer from the DNN Forge.

Comments

Chris Hammond
Estimated date for release?
Chris Hammond Monday, May 18, 2015 10:03 PM (link)
Joe Brinkman
@chris Next week before DNN-Connect.
Joe Brinkman Monday, May 18, 2015 10:04 PM (link)
Jaydeep Bhatt
Joe,
You mean 7.4.1 will be released next week?
Jaydeep Bhatt Tuesday, May 19, 2015 12:31 AM (link)
William N
Thanks for this Joe!

Identifying potential vulnerabilities on numerous sites with content and modules being added & managed by multiple users is something we have been contemplating quite a bit recently. I really appreciate that you made this a community module!
William N Tuesday, May 19, 2015 12:36 AM (link)
Ernst Peter Tamminga
Nice!
Ernst Peter Tamminga Tuesday, May 19, 2015 3:03 AM (link)
XCESS Support
Very handy module!
XCESS Support Tuesday, May 19, 2015 4:10 AM (link)
Daniel Mettler
Awesome stuff - thanks!
Daniel Mettler Tuesday, May 19, 2015 11:46 AM (link)
Ryan Moore
This is fantastic, as an audit tool that's installed, it helps a host user with different levels of access to the server have a tool that can help audit and secure. Thanks!

One thing that I'd liked and used back in DNN 5x days was a module from SHancer called EncryptConfig... it worked as either a module or dashboard control. With it, you were able to click to encrypt or unencrypt key sections of the web.config including the 2 connection string locations.

I could see working a function like that into a future version of this.
Ryan Moore Thursday, May 21, 2015 2:49 PM (link)
Will Strohl
It's a nice quick scan. What are some of the community ideas for contributing updates?
Will Strohl Friday, May 22, 2015 10:02 PM (link)
Mark Buelsing
Thank you for providing this valuable analysis tool! I have used it several times and it has made my process go much quicker.

I do have a suggestion about the "Recently Modified Settings" tab. I see a need to be able to choose the start date for the report it produces. On a site that recently received a fair amount of legitimate development work AFTER it had been silently hacked, the report is showing me all my own settings changes but does not go back far enough to show the hacker's changes that occurred before my own.

Indeed, as time passes, anyone who comes late to this game of cleaning up a hacker's activity will likely not benefit from this tab unless we can control the start date at least. Other criteria that would be useful might be an end date for the reports and/or a number of items choice. (30 rows instead of the standard 20).

Again, I'm grateful for this tool. Thank you for all your work on it!
Mark Buelsing Sunday, July 10, 2016 12:30 PM (link)
Joubert Sarte
The download link is not available.
Joubert Sarte Wednesday, June 28, 2017 9:37 PM (link)
Rusty Redinger
Is there still a security analyzer tool? I'm still on 7.1 and can't upgrade. A tool to verify if I'm patched would be a pretty cool thing to have!
Rusty Redinger Monday, July 17, 2017 5:26 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out