Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Updates to Security Analyzer Tool

Last year we released a stand-alone security tool to check if your DNN site is configured correctly from security point of view. This tool was very well received by our customers and community. In light of the recent security incident on DNN sites, we decided to update this tool to detect additional misconfigurations.

Let’s take a look.

New Audit Checks

Six new checks were added under Audit Checks tab – “Check Default Page”, “Check Module Header and Footer”, “Check Password Format”, “Check Disk Access”, “Check SQL Risk”, and “Check Allowable File Extension”.

 

Check Integrity of Default Page

During the recent security incident, we noticed that the hacker had tweaked the default.aspx or default.aspx.cs files to add hidden links or iframes. We have added checks to compare these two files from your current site with that from a standard installation of the version you are using.

Once this tool flags an error by showing ‘X’ next to the check, you are advised to compare both of these files using a file-diff utility with the standard versions to see if the changes were genuine. Remove the malicious script tags from the files or best revert back to originals.

Check Module Header and Footer

During the recent security incidence, we noticed that the hacker was taking advantage of module’s header and footer settings to generate malicious Html. This check lists all the modules that contain Header or Footer settings. Please note that not all settings are malicious in nature. Tool lists all the modules containing headers or footers, their Tab Ids and Module Ids are listed. Look for suspicious settings such as iFrame.

Check Password Format

It is recommended that sites use “Hashed” password format. This setting prevents anyone (even genuine SuperUsers) from getting back to the password in text format. If the setting is “Clear” or “Encrypted”, change it to “Hashed” in the web.config. Note, this change will not change the format of existing accounts, only new passwords will be hashed.

Check Disk Access

Often the user running App Pool has more permission than it needs. The purpose of this check is to indicate if this user has permissions outside of the DNN website folder.

Check SQL Risk

Often times the SQL Server user used to access database from DNN may have more permission than it needs. It’s good to ensure at least user doesn’t have “sysadmin” permission.

Check Allowable File Extension

DNN has very strict file extension rules, that it does not allow users to upload files that can execute code – files such .aspx, .asp or .php. In fact, DNN allows uploading of files whose extensions are defined under Host > Host Settings > Other Settings > Allowable File Extensions. However, at times SuperUser may add an extension temporarily, but fail to remove it. The purpose of this check is to identify such misconfiguration.

New Tabs

There are two new tabs added - "Recently Modified Files" and "Recently Modified Settings"

Recently Modified File

This tab shows the last 50 files modified within the DNN website folder. Tab consists of two sections - the top one showing "High Risk" files and the bottom one "Low Risk". 

High Risk Files

The high risk files are those that have extension of .aspx, .asp and .php. They are deemed high-risk as they can execute code. It is important to note that DNN and Evoq ships several .aspx files in the default installation. Moreover, some of the other modules may also deploy .aspx files. What you really need to look at is the time stamp of such files and try to think if you have had done any system changes when these files were modified. System changes include activities such as DNN / Evoq upgrade, brand new install, module install / uninstall / etc.

In addition to .aspx, .asp and .php file extensions the high risk area also lists default.aspx, default.aspx.cs and web.config file.

Again, one need not panic seeing files listed here. What one needs to do is look at the last modified date and correlate that to any system activity that you have performed. 

Low Risk Files

This section lists all files from your website folder except the ones listed above. You may see cache files, images, etc. 

Recently Modified System Settings

One of the symptoms of the recent hack was that a number of Host Settings got updated, including the SMTP setting. This tab lists the 20 most recently changed settings in the following categories – “Portal Settings”, “Host Settings”, “Tab Settings” and “Module Settings”.

Again, look for suspicious activities here. 

Portal Settings

Host Settings

Tab and Module Settings

Auto Deletion of Certain Install Files

Tool deletes the following files from Website Root\Install folder as soon it gets install:

·        DotNetNuke.install.config

·        DotNetNuke.install.config.resources

·        InstallWizard.aspx

·        InstallWizard.aspx.cs

·        InstallWizard.aspx.designer.cs

·        UpgradeWizard.aspx

·        UpgradeWizard.aspx.cs

·        UpgradeWizard.aspx.designer.cs

·        Install.aspx

·        Install.aspx.cs

·        Install.aspx.designer.cs

These files are no longer needed once installation is completed. We realize that some DNN users want to continue to use Install.aspx and Install.aspx.cs after installation. They may replace them on their own and their own risk. The recent exploit was in InstallWizard.aspx file and that must be removed.

In any case, most of these files are placed back with the upgrade package, and removed again after upgrade is done.

Tool’s Version

The first version of this tool was released as 1.0.0. The same version shipped with DNN version 7.4.1. During DNN 7.4.2, we incremented the tool’s version to 1.0.1. Further to that, we incremented the tool’s version to 8.0.0 during DNN Platform 8.0.0 (Evoq 8.3.0) release. The version number was incremented to keep in synch with DNN Version, as such there wasn’t a major change in the tool. Later, tool’s version number was incremented to 8.0.1 during DNN 8.0.1 release.

As of this writing, the latest version of this tool is 8.0.2.

Backwards Compatibility

Security Analyzer can be installed on DNN versions 6.2 and above. This tool has more features than the version being shipped with the latest shipping DNN or Evoq products. Please note that the last shipping releases are DNN Platform 8.0.3 and Evoq 8.4.2 at the time writing.

Source Code

Security Analyzer is open source as well; the source code can be found here: https://github.com/DNNCommunity/SecurityAnalyzer

Reporting New Issues

Please enter new issues here on Github: https://github.com/DNNCommunity/SecurityAnalyzer/issues

How to Install

This tool is shipped as a standard DNN Module. Simply install it using Host > Extensions. Once tool is installed, it is available on the page Host > Security Analyzer

Acknowledgements

Besides Engineers from DNN Corp, we want to thank community members Brian Dukes and Timo Breumelhof for testing the tool and providing valuable feedback. Additionally, Mitchel Sellers, Will Strohl and Richard Howells have also provided suggestions..

Download

Install package can be downloaded from here: https://github.com/DNNCommunity/SecurityAnalyzer/releases

Ensure to download the version with “Latest Release” tag.

Additional Questions

Some of the above discussions are very technical in nature, and may not be easy to understand. Ask questions in DNN Forums or as comment here for clarification. If you are an Evoq customer, please feel free to open a ticket with Support team.

  • Published:

Comments

Roman Yagodin
Great release, thanks!
Roman Yagodin Thursday, June 9, 2016 3:08 AM (link)
Will Strohl
This is an outstanding contribution to the community and ecosystem overall. Thank you for heading this up Ash, and for the incredibly thorough blog post. Things like this are what makes the community great and help it to grow.
Will Strohl Thursday, June 9, 2016 9:55 AM (link)
T. Philip Perlman
WOW! Quite a bit of work went into this! Thank you for the contribution, I look forward to testing it out! Congratulations and thank you!
T. Philip Perlman Thursday, June 9, 2016 10:06 AM (link)
Jeroen Krikke
Thanks for this very helpfull module.
Jeroen Krikke Friday, June 10, 2016 2:59 AM (link)
John Cornelison
Wonderful, thanks for making it even more robust!

Does this check all websites in the portal at once (I presume), or might one need to run it on a per site basis, if one were not a host for instance?
John Cornelison Sunday, June 12, 2016 1:14 PM (link)
Ash Prasad
@John - this module is available under Host menu, so it should work for all portals. Please report an issue here if you see a problem: https://github.com/DNNCommunity/SecurityAnalyzer/issues
Ash Prasad Tuesday, June 14, 2016 7:55 PM (link)
Ryan Moore
Thanks for the new release, it has so many excellent features! With one of our DNN instances that was affected, we manually went through the steps to look for these items and this updated tool puts all the right elements at your fingertips. Excellent!
Ryan Moore Wednesday, June 15, 2016 9:17 AM (link)
Daniel Comp
Ash, I too appreciate your efforts and contributions. You get the 'ATTA-BOY' award from us all!
Daniel Comp Thursday, June 16, 2016 1:15 PM (link)
Antony Gill
The security analyser 'Check Disk Access' reports "Hackers could access drives/folders outside the website". Wanting to fix this for sites on my IIS8 server I am looking at the check-disk-access description "Often the user running App Pool has more permission than it needs. The purpose of this check is to indicate if this user has permissions outside of the DNN website folder."
OK so my AppPool identity is properly configured, unique to each site and anonynous authentication is set to the AppPool user.
The AppPool user has full site folder/directory access as described in DNN documentation.
I looked carefully at IIS security advisory here: https://technet.microsoft.com/en-us/library/jj635855(v=ws.11).aspx.
I have noted issue#24 here: https://github.com/DNNCommunity/SecurityAnalyzer/issues/24
Are there any steps I have missed to get compliance for this check?
Antony Gill Tuesday, July 12, 2016 4:34 PM (link)
Katherine Moss
Great module. Shall be running it shortly.
Katherine Moss Wednesday, July 20, 2016 11:17 AM (link)
Redfred Garett
Great blog. Shall be running it shortly.
Redfred Garett Wednesday, August 17, 2016 8:46 AM (link)
cdhartman
The security analyzer 'Check Disk Access' reports - Well changing the .net trust level breaks the Analyzer. Soooo, Instructions on how to mitigate the problem would be very useful.
cdhartman Friday, September 9, 2016 7:47 PM (link)
robert lang
@Anthony, @cdhartman - I found the entry 'Check Disk Access', and tried to find an answer how to solve this - and found your comments to this article.
Am I right, that this point is a real security relevant issue, if the analyzer detects this? If there is a security issue where someone can run his own script functionality - this is the way to take filesystem?
Did you find a way to lockdown the server?
I am really surprised, that there is a great tool to detect issues, but no suggestions or best practices to solve this?
robert lang Thursday, March 23, 2017 10:49 AM (link)
Jeremy Farrance
@robert, @anthony, @cdhartman, and @DNN - Audit Checks / CheckDiskAccess - any follow-up on this? I have 3 out of 11 DNN instances on a 2012 R2 server that report this in the latest version of the Security Analyzer and I cannot find/fix the problem. Short of walking the source code, is there some way to get more details about what the test is doing and finding... and specifically what the fix is? Thanks in advance!!
Jeremy Farrance Tuesday, October 17, 2017 5:20 PM (link)
Antony Gill
On security analyzer CheckDiskAccess, my report of July 12th 2016 and similar reports from Jeremy Farrance, cdhartman and Robert Lang.
In view of the articles on Technet and GitHub referred to in my report here, I chose to ignore this potentially alarmist security exception as an artefact of the tool and my server/iis/apppool configuration, conforming in all other respects to that specified by Microsoft and DNN.
I think that the person/people who write useful security analyser tool code and released for the community don't have time to look at or deal with this issue. All I can say is that my server/app config is still all functioning OK after 15 months. My advice is to be as thorough with everything as you can, for example you all quoted my name incorrectly (I'm ANTONY) take backups of your 'vulnerable' files and for example upgrade to server 2016 / DNN 9 if your server hardware can run it

Antony Gill Tuesday, October 24, 2017 1:11 PM (link)
Marco Andrade
What an amazing module, great work! Is there not a way to make this module accessible to non-super users? We have a situation where we want to limit this module to a subset of admins but do not want to give them super user access to do so. - Marco
Marco Andrade Thursday, July 26, 2018 2:31 PM (link)
Will Strohl
@Marco: Honestly, I think the only way you'll be able to do this is to fork the source code and make that update yourself. It's not a great idea to disclose security details to anyone that you wouldn't also trust with superuser-level access.
Will Strohl Friday, July 27, 2018 4:32 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out