Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


The Mystery of the Vanishing Website Pages

A few weeks ago, I was contacted by a community member, who was facing the phenomenon in his multi-site DNN, that a couple of pages got deleted and this happened again and again - especially newly created pages. He provided me with Host access, I investigated settings and event log, but there was no obvious hole. For all few registered users, admins and passwords, he recently changed the password, that's it.

My first step was turning on DNN eventlogging for all relevant event log types (note: make sure, you are having all log types registered, especially upgraded sites sometimes are missing a few. You may ensure having the full list by downloading the full list and running it in Host > SQL). I also created a couple of default pages on a rarely used site within the DNN. After a few days, some of my recently created pages were moved to the recycle bin - which was logged in DNN Eventlog, interestingly usually just after updating page info and page settings, and with no user logged in and more or less the same hours of a day. This lead me to the scheduler and it's scheduled jobs - but according to the history, no job was executed around this time.

Using Host > configuration manager, I set LogForNet level to "All" (in file DotNetNule.log4Net.config) - but the log didn't really provide additional hints. Meanwhile, two of the pages got defaced by a hacker, which trilled me even more.

 

Finally, I requested the IIS log files from the hosting provider. According to the log files, the page delete was caused by different search indexing bots from google and others. Now I got puzzled and checked the pages, which got deleted - and now I noticed a fact, I had overlooked before: they had granted edit permission to "All Users" role and exposed the Control Panel to any visitor (I am still not sure, why, this had been applied by default to some of the test pages, I created). With the CP exposed, the spider followed all links, including "page settings" and "delete page" - ouch.

 

I wrote a little script to remove these permissions from pages, modules, folders and module definitions - which also makes sure, all necessary permissions are created for superusers, admins, registered users and visitors (it is available for download here). After I applied it, no page got deleted any more - Another support case solved successfully :) 

PS: If you are not sure about permissions being granted for your pages, modules and folders, you might consider downloading the script and running it in Host > SQL.

Comments

Tycho de Waard
Hi Sebastian

Many thanks! A customer of mine also complained about broken links which appeared to be the result of deleted pages. Now I know what causes it (not an editor issue). It seems to me like a major issue. I didn't find the bug (yet) in the bug tracker, am I right ?

grtz
Tycho
Tycho de Waard Monday, October 5, 2015 3:24 AM (link)
Joseph Craig
Thanks. I've heard reports about this happening before, but never had the chance to track down the cause.

I'll certainly remember this!
Joseph Craig Monday, October 5, 2015 10:08 AM (link)
Richard Howells
Good detective work Sebastian. Thank you for writing it up.
Richard Howells Monday, October 5, 2015 12:13 PM (link)
Jacques Woolston
A mistake easily made by Admins and difficult to get to the bottom of... I've had this one before!
Jacques Woolston Monday, October 5, 2015 12:31 PM (link)
Sebastian Leupold
Tycho,
it is not really a bug in DNN - the system behaves like this to anyone, who is granted edit permission for a page or module.
However, we might improve security by disable the option to grant edit permission to "All Users" or "Unauthenticated Users" roles.
Sebastian Leupold Monday, October 5, 2015 12:35 PM (link)
Sebastian Leupold
PS: My AdjustPermissions script fixes a couple of these permission issues - it shouldn't hurt to apply it to any of your DNN installations, if you are not sure, whether all permissions are properly assigned :)
Sebastian Leupold Monday, October 5, 2015 12:37 PM (link)
Erik Hinds
I can't think of any scenario where you would give any unauthenticated visitor edit rights to a page. In my opinion, this option should not even exist. Does anybody have a valid use case for this? I'd be interested to hear it.
Erik Hinds Tuesday, October 6, 2015 10:16 AM (link)
Sebastian Leupold
Erik, for my test pages, I just clicked "create page" and entered a name - as written above, atm I have no clue, why edit permission was granted to "All Users" role.
Sebastian Leupold Tuesday, October 6, 2015 10:31 AM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out