Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...BDPDT Security AlertBDPDT Security Alert
Previous
 
Next
New Post
7/17/2006 7:47 PM
 
Joe Surfage

Joined: 8/13/2003
Posts: 30

Two items:

1. Suggestion: A "Security" forum would be a great addition to the list of DNN forums.

2. One of my web sites was defaced/hacked over the weekend. I've searched these DNN forums, but didn't see this posted, so I wanted to get the word out a bit more.  BTW, other posts have said that the security whole is a big one, but...

...here's the kicker    -   my site does NOT use BDPDT.

Evidently, one of the other sites hosted on the same server was using it and the security hole allowed the entire server to be compromized.  Luckily for me, the hacker didn't do significant damage to my site...this time.

You can read Patrick Santry's original post at:
   http://blogs.wwwcoder.com/psantry/archive/2006/05/03/23851.aspx

 
 
New Post
7/17/2006 7:57 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

First off, commiserations on the hacking exploit.

As for your points, we don't have a forum as talking about security in public is not always the best idea. Instead we have a security policy here , and encourage anyone with any questions/issues to email the security@dotnetnuke.com alias. In addition, we have the security blog @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/BlogID/28/ParentBlogID/5/Default.aspx where we discuss various security related matters (I blogged about the BDPDT issue @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/422/Default.aspx a few months back)

With regards getting affected by another user, it would appear that your host was not running individual websites under different impersonated accounts for asp and asp.net (many hosts don't know about this, though it is a recommended practice  - i may blog the details at some point to help)

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/17/2006 8:30 PM
 
DNN Modules

Joined: 6/19/2003
Posts: 21

I think I'd like to second Cathal on this one.  Bear in mind that dependant on how your hoster has configured the server, you still had the potential of being cross hacked from a ASP or PHP site as the basis of entry, both in which this person that is doing this seems to enjoy  - and has for a few years. 

If you look at his "accomplishments" it seems he likes to find an exploitable sites, and then takes out as many of the other sites on the server as he can.  He has been using a variety of different methods and not just DNN, and definately not just the flaw that did exist in our module.   Yes, he did gain entry via our module which should have been updated just about everywhere now - especially if you looked at the date of Patrick's blog entry, however, his points of entry on ASP and PHP may still exist, and thus the risk still remain until ISP's start locking down things down with isolation, and at least ensuring that the threat is minimalized down to an individual web instance.

However, your ISP should be able to provide detailed information and forward it over to security@dotnetnuke.com if it does look DNN in nature - part of my concern, is this guy has publically stated to have a hate on for Microsoft, and taking down ASP.NET sites seem to right up his alley.  We should be all prepared just in case he's found some other method.

--Richard
 
New Post
7/19/2006 3:10 AM
 
Joe Surfage

Joined: 8/13/2003
Posts: 30

Cathal - thanks.  Actually, I was thinking of the forum more in terms of sharing best-practices and heads up (like this post.  The forums are a bit of a one-stop shop for a lot of people and I'll be honest that I don't agree that talking about security in public is a bad idea - the exploits are already out there.  This guy has a brag list of 1000's of sites (or is it 34K?)  But I can understand the desire to avoid making it easy with too many specifics or describing especially easy exploits, although maybe a moderator could play a role in avoiding that.

I've pointed the hoster to this post so hopefully they'll impliment individual websites under different impersonated accounts for asp and asp.net as you suggest.

Rickard - "module which should have been updated just about everywhere now..." Hmm, why do you say that?  The security notification/discussion seems pretty low-key to me.  Just a few blogs here and there - pretty easy to miss.
 
New Post
7/19/2006 7:47 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

There are two documents available in the documentation download that may interest you then - "Hardening DotNetNuke Installations.pdf" and "Secure Module Development.pdf". These are intended as best practice recommendations , and also contain links to the MS docs on hardening IIS and SQL server

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...BDPDT Security AlertBDPDT Security Alert


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out