Today we are releasing the 9.0.2 version of both DNN Platform and Evoq. This release addresses an important security issue that reveals user’s details. Along with the 9.0.2 release, we are also providing a security patch to help fix this problem in older versions of DNN and Evoq.
What’s the vulnerability?
It was brought to our attention that one can potentially uncover the following user’s details on a typical DNN or Evoq install:
1. Email Address
2. Display Name
3. User Name
Can additional profile properties be uncovered?
Only when you are using Custom “Registration Form Type” as opposed to the Standard type. In this case, only the profile properties defined in “Registration Fields” can be uncovered.
Can you elaborate a bit more about this custom mode?
A typical DNN or Evoq contains close to 20 profile properties, such as first name, last name, city, region, country, phone number, etc. In theory, one can configure the registration form to have any or all of these fields. However, most sites only have a handful of registration fields in order to simplify the process for users. This vulnerability will allow anyone to uncover most of the registration properties present in the form. Using the standard configuration, only the three items noted earlier are discoverable.
Can date of birth be uncovered?
Date of birth is not defined as a profile property in general, with exception of Evoq Engage, where it’s present as a profile property. Since the date of birth was defined as “Date” type, it cannot be uncovered.
What about the Password?
Passwords cannot be uncovered.
What about Street Address?
It depends on whether you have been using custom registration mode and that you have those properties (street, city, region, country, etc.) present in the registration form.
What’s the minimum data that can be uncovered?
The Email address. The custom mode requires a minimum profile property of Email to be present for registration.
Can a Super User be created with this vulnerability?
No. It is not possible to make any changes to a site with this vulnerability. Only limited profile properties outlined above can be displayed.
Is this vulnerability present in 3rd party modules?
Our testing indicated that it was present in at least one 3rd party registration module. We have notified the vendor and are awaiting them to do a new release. We cannot reveal the name of the module here. If you are using a 3rd party registration module, then we strongly suggest that you contact the vendor and inquire about this vulnerability.
I am a vendor of such a module, what should I do?
Contact DNN Corp’s security team to obtain more details about the vulnerability so you can provide an updated module. The security team can be reached by email:
security@dnnsoftware.com
I have created a custom module, WHAT SHOULD I DO?
Contact DNN Corp’s security team to obtain more details about the vulnerability so you can provide an updated module. The security team can be reached by email: security@dnnsoftware.com
I create users via an API, Am I AFFECTED BY THIS?
There is no vulnerability around creation of users. You can continue to create Users via APIs or stored procedure. Since the vulnerability exist around the registration system, you are still highly recommended to either apply the patch or upgrade to latest version of DNN / Evoq.
Which versions are affected by this?
Per our testing, this vulnerability is present in 6.2 and above.
Does it affect both DNN Platform and Evoq?
Yes, it affects both.
What’s the risk if I don’t patch or upgrade?
An unauthorized use can obtain profile properties such as Display Name, User Name, Email Addresses, etc. of ALL your users, including Super Users. It is important that you apply the patch or upgrade to the latest versions.
Should I upgrade to 9.0.2 and ALSO apply the patch?
No. Only one is sufficient. The patch is not required once you have upgraded to 9.0.2 or above. The latest release at the time of writing is 9.0.2. Our recommendation is to always upgrade to the latest version.
What does the patch do?
The patch updates the registration system to correct the vulnerability. It also creates a test page under Host to verify whether that you are patched.
WHAT versions are supported by the patch?
DNN and Evoq version 6.2 till 9.0.1.
Does the patch fix 3rd party modules?
No. If you are using 3rd party registration module, you should contact the vendor.
Will the vulnerability in 3rd party module automatically be fixed after upgrade to 9.0.2?
Our testing indicates that the 3rd party modules should get automatically resolved. However, you should contact the vendor just to make sure. 9.0.2 certainly fixes the problem when no 3rd party registration module is being used.
How can I access this host page in 9.0.0 and 9.0.1?
Login as a Super User (not Admin), click “DNN Security Hot Fix 1” link under Manage menu in the Persona Bar.
I don’t understand what I am seeing under this new Host page, can you explain?
As noted earlier, the patch creates a page under Host menu. Depending on your site’s configuration, there can be three possible outcomes:
1. You are patched. This is to indicate that we feel your site is patched. However, if you use a 3rd party registration module on your site, then we are not in a position to say for sure. If you are not using a 3rd party registration module, then we are pretty confident that you are patched.
2. You may not be patched. The moment we detect that you have a custom registration page defined and that the page contains a non-standard DNN’s registration module, we flag that as “may not be patched”. We also list the sites where we find use of non-standard registration module. In this case, you should contact your module vendor.
3. You may not be patched. There is another situation where you might not be using a custom registration page, but a 3rd party module might have modified the default entry in the ModuleControls table for “Register” record. We flag this as “may not be patched” as well, and you should contact the vendor as well.
Can I uninstall this patch after the fact?
You may. However, the fix applied still remains in affect.
What happens if my site breaks after application of this patch?
We suggest that you apply this patch in a test environment, run some tests and then apply in production. If your site still breaks, then we recommend that you post a comment here. Also, remember to take a backup of your production site before applying the patch.
Can this patch be overwritten if I upgrade DNN or Evoq at a later day?
As long as you upgrade to DNN or Evoq 9.0.2 and above, you will remain protected. However, if you upgrade to an older version (e.g. 8.5), the patch will be overwritten. We recommend you visit the above host page again to reapply the patch automatically. In any case, you still run the risk if you are using a 3rd party registration module. You should contact the vendor and confirm.
I am an Evoq customer, how can I get more details
I am a DNN Community user, how can I get more details
There are a few ways to interact further:
1. Use comments in this blog
What if I have further security related questions
You are more than welcome to reach out to DNN’s Security team by sending an email to security@dnnsoftware.com
HOW DO I APPLY PATCH?
Patch is a standard DNN module, that can be installed as any other DNN extension. You must be a Super User to do that though.
WHERE CAN I DOWNLOAD 9.0.2 FROM?
You can download Install and Upgrade package of DNN Platform 9.0.2 from GitHub Repository. Evoq customers can download from here.
WHERE CAN I DOWNLOAD Patch from?