A few weeks ago, the DNN Security team released blog post describing a workaround for a recently discovered vulnerability in the DNN Install Wizard. While the fix is simple, we know that there will still be users who didn't see the blog post or who were hesitant to implement the workaround since it meant deleting core platform files.
It has been our practice to only provide CMS security fixes in a full DNN build, but given the critical nature of this issue and some delays in releasing DNN 7.4.1 we felt it was worth implementing the suggested workaround in a module which would work for any site running DNN Platform 6.2.0 or better. We limited this module to later DNN releases because we felt that security issues in releases prior to 6.2.0 were significant enough that patching this one issue would not be sufficient to adequately protect users. If you are running a version prior to DNN 6.2.0 you should upgrade to one of the latest releases to ensure your site is adequately secured.
In addition to programmatically fixing the Install Wizard issue, we also wanted to provide some tools which would help identify potential security issues with your site configuration. The security analyzer includes three primary tools:
- Audit Checks – This is a set of checks which looks at your site configuration and recommends actions you can take to provide additional security.
- Scanner Checks – This is a tool which allows you to search your database and file system for unwanted content and flag where that content might be appearing in your site. This is often useful when you find pages on your site have been defaced and you want to ensure that no other pages have been similarly tampered with.
- Super User Activity – This is a quick way to see all of the Super User accounts and to determine when they were created and when they were last used.
While most of this functionality is still somewhat rudimentary, it provides a foundation for future releases which will more fully analyze your site for problems and provide prescriptive guidance on how to further harden your installation. The Security Analyzer will be included with DNN Platform 7.4.1 and will become a standard part of all releases going forward.
We have a backlog of enhancements that we are working on for future releases of this module which should aid in helping you keep your DNN websites secure. If there are additional features you would like to see, just post them to the DNN Issue tracker.
You can download the Security Analyzer from the DNN Forge.