Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Critical Security Update - Please Read

In April 2015, we issued a security warning related to the DNN install wizard (“InstallWizard.aspx”). The security warning included instructions on how to protect your site. While we issued a patch in May 2015, we recently learned about a new mechanism to exploit this same vulnerability.
This vulnerability is quite severe. It enables an external user to:
  • Create a new Host account.
  • Update Host records and tables.
  • Clear SMTP settings.
  • Upgrade or alter installed modules.
The following steps are required to safeguard your site against this vulnerability:
  1. Remove the Install.aspx, Install.aspx.cs,InstallWizard.aspx, InstallWizard.aspx.cs, UpgradeWizard.aspx and UpgradeWizard.aspx.cs files from the Website Root/Install folder immediately.
  2. Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable.
  3. Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
  4. Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.
We have also just released Evoq 8.4.2 and DNN Platform 8.0.3 to further mitigate this issue. Evoq customers can download the latest packages from the Customer Support Network. DNN Platform users can download the latest packages from http://dotnetnuke.codeplex.com. Please visit our Security Center for additional information about security issues that have been addressed with each release.

As a reminder, you can always email security@dnnsoftware.com if you believe you have discovered an exploit or vulnerability.

Comments

Jon Welfringer
Just scanned my sites and one was compromised on Sunday 5/22 from this vulnerability. I deleted the new superuser and am still trying to assess whether there was any further damage done.
Jon Welfringer Friday, May 27, 2016 12:17 AM (link)
Jim Woodruff
Hi Will. A couple of questions:

1. I followed your link to the security center and found that there are a few more files that might be in the install folder that need to be removed: DotNetNuke.install.config, DotNetNuke.install.config.resources, InstallWizard.aspx.designer.cs, UpgradeWizard.aspx.designer.cs, Install.aspx.designer.cs. Can you confirm this?

2. You 4th item -- are you indicating that any file with an .aspx extension might be suspicious?
Jim Woodruff Friday, May 27, 2016 7:25 AM (link)
Jim Woodruff
Hi Will. A couple of questions:

1. I followed your link to the security center and found that there are a few more files that might be in the install folder that need to be removed: DotNetNuke.install.config, DotNetNuke.install.config.resources, InstallWizard.aspx.designer.cs, UpgradeWizard.aspx.designer.cs, Install.aspx.designer.cs. Can you confirm this?

2. You 4th item -- are you indicating that any file with an .aspx extension might be suspicious?
Jim Woodruff Friday, May 27, 2016 8:02 AM (link)
Chris Csanyi
Thanks for the update Will. On part 2 I notice that I have ascx. Should I just remove that also?
Also if we are on 8.0.3 we don't have to worried about the security issue anymore is how I read this.
Chris Csanyi Friday, May 27, 2016 10:35 AM (link)
T. Philip Perlman
Can someone help me understand why the Install and UpgradeWizard related files even remain after a successful install and/or upgrade? Was this considered after the last related critical issue?

If these files are such a source of potential exploits, why aren't they automagically deleted? When we upgrade DNN by overwriting the files, the upgrade archive contains the needed ones, making it unnecessary for the old ones to remain as a ticking time bomb.

I realize this is an exceptional issue, but for developers like me to wake up and realize that I need to go through dozens upon dozens of client sites (many which are not under maintenance) and delete files that are dormant at best and critical at worst is unnecessary.

Maybe this should be revisited before DNN v08.01.00 is released.
T. Philip Perlman Friday, May 27, 2016 11:04 AM (link)
Will Morgenweck
@Jim Yes, you can delete those files as well. The best thing to do is to search your file system for files with asp,aspx or php extension. I would then sort the results by date. Any that has a modified/created date within the past couple weeks should be inspected. In some cases, we are also seeing that Default.aspx is being modified. You don't want to delete that file, but you should inspect it for any embedded IFRAMES.

Will Morgenweck Friday, May 27, 2016 2:30 PM (link)
T. Philip Perlman
As a follow-up, I'd like to show my appreciation to the team for having the install and upgrade-related files removed on update. I hope this will continue to be the process in the future.

I am extremely appreciative of DNN's proactiveness and diligence in light of security issues. IMHO, other CMSs pale in comparison.
T. Philip Perlman Friday, May 27, 2016 3:04 PM (link)
T. Philip Perlman
Could a feature be added to DNN's Security Analyzer for a white list and checksums of approved files (e.g. aspx) to compare against? Maybe the DNN manifest could also have entries added to this list helping to make security scanning easier.This way we might be able to zero in on changed scripts that can affect security or XSS vulnerabilities.

It could also be further enhanced to check for the app's ability to run ASP and PHP files, and alert to their presence and capability for launching.
T. Philip Perlman Friday, May 27, 2016 3:16 PM (link)
Will Morgenweck
@Chris, DNN depends heavily on ASCX. At this time, we have no evidence of the exploit altering .ASCX files. However, if you feel your site has been compromised you should look for any files that were added or deleted after the intrusion occurred or you should restore from a backup prior to the intrusion. If you restore from a backup, be sure to immediately perform the mitigation steps.

Will Morgenweck Friday, May 27, 2016 4:29 PM (link)
Will Morgenweck
@Philip, That is a very reasonable question. The files were supposed to be deleted after upgrade and install starting with the 7.4.1 release, but we found that this was happening in certain environments. Additional code has been added to DNN Platform 8.0.3 and Evoq 8.4.2 to ensure the files are deleted. We have also added additional defense code to prevent this from happening again in the event that the files can't be deleted automatically.
Will Morgenweck Friday, May 27, 2016 4:37 PM (link)
Richard Howells
@Will - if we delete install.aspx - then presumably the automated install url (http://www.mywebsite.com/install/install.aspx?mode=installresources) will no longer work.

Is install.aspx firmly implicated in this vulnerability or is deleting it just precautionary?
Richard Howells Saturday, May 28, 2016 5:58 AM (link)
Will Strohl
In looking at all of the available posts and security bulletins, and then from the feedback from my clients, it sounds like a previous policy may have been shut down. I don't recall seeing an announcement though.

Security updates have always been back-ported to the previous release series after a major release, for the next 12 months after a major release. In this case, security updates are not being back-ported from version 8.x to 7.4.x. Instead, people are being told that the only way to be secure is to upgrade to version 8.0.2.

Are there any plans to continue to back-port security updates, like the project has done since it was first released in 2002?
Will Strohl Thursday, June 2, 2016 12:55 PM (link)
Will Morgenweck
@Will Many users have told us that they don't want to go through the entire upgrade process for this fix. Especially since the fix is very straightforward using the mitigation steps we have provide. However, we are making updates to Security Analyzer module, which will be available to 7.x users. The Security Analyzer module will also properly delete the files upon install.

@Richard Removal of install.aspx is simply precautionary at the moment. We know some people that are renaming the file, and only make it available again if they need it.

-Will
Will Morgenweck Thursday, June 2, 2016 9:18 PM (link)
Daniel Mettler
Thank you so much for the pro-active communications and instructions. it's helped us and our customers a lot. Thumbs up 100x
Daniel Mettler Monday, June 6, 2016 11:27 AM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out