I have already posted a long thread http://www.dnnsoftware.com/forums/forumid/108/postid/530273/scope/posts#530273

regarding my website being constantly under attack. I have upgraded to version 7.4.2 with no result. I'm still under attack and still vulnerable to the same scams.

I have read the vulnerability notice and removed all files (install, update wizards etc) from the directory even though the type of attack I have been experiencing was not as described but nothing changed on my DNN installation although something did change in my situation altogether. The attack spread to my other non DNN .asp website. Now I have 2 databases to restore on a daily basis.

I downloaded, installed and ran the new Security Analyzer which came up with a new vulnerability.

CheckDiskAccess : Checks extra drives/folders access permission outside the website folder

Hackers could access drives/folders outside the website

E:\website - Read:Y, Write:Y, Create:Y, Delete:Y E:\ - Read:Y, Write:Y, Create:Y, Delete:Y C:\ - Read:Y, Write:Y, Create:Y, Delete:N

It does not say how though.

How can I prevent this from happening? How do I limit access only to the DNN root folder?

Any help is appreciated thank you.

 

Edoardo 

Hi Edoardo,

I wonder if you have a solution for the CheckDiskAccess issue already?

I'm having the same problem. I did a clean server setup and created a separate application pool for the DNN.

Also set with application pool identity, add the ID into the DNN folder security.

But the analyzer still showing DNN has full access to all Drives like yours.

Appreciate anyone can help one this. Thank you.

George.

As I mentioned in another thread, I would guess that this is because by default, any new user created in Windows are member of the "USERS" group which in turn has read and write access. The solution is probably to remove the IIS user from the USERS group,however, I am not sure what is recommended best practices here and if that might lead to other side effects.