Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How secure is DNN?How secure is DNN?
Previous
 
Next
New Post
8/23/2011 4:06 PM
 
hackproof


Joined: 8/23/2011
Posts: 1
I'm concerned about all of the recent website hackings that have taken place within the past few months.  My question is how hackable is DNN?  I know that nothing is hackproof but there are a lot of websites out there that are hackfriendly unfortunately. 

How does DNN fare?  Does the platform lend itself to security or does it invite hackers as easy prey?  I'm sure that I'm not the only one concerned about this and would like to know the community's thoughts.  Also what steps should be taken to bolster the security of a DNN site?

By the way here are a few recent headlines regarding website hackings:

Anonymous hackers take on San Francisco subway
8/15/2011 - http://www.msnbc.msn.com/id/44150461#.TkmG62HAzPo

Hershey website hacked to change recipe
8/3/2011 - http://consumerist.com/2011/08/hersheys-website-hacked-to-change-recipe.html

Church websites hacked, Islamic material posted
7/29/2011 - http://www.wtol.com/story/15177227/church-websites-hacked-islamic-material-posted

Lulz Security Says It Hacked News Corporation Sites
7/18/2011 - http://bits.blogs.nytimes.com/2011/07/18/lulz-security-says-it-hacked-news-corporation-sites/

Foxnewspolitics Twitter Feed Hacked
7/4/2011  - http://www.foxnews.com/politics/2011/07/04/foxnewspolitics-twitter-feed-hacked/?test=latestnews

Citibank confirms hacking attack
6/9/2011 - http://www.bbc.co.uk/news/technology-13711528

PBS Hacked, Claims 'Tupac Alive' In New Zealand
5/30/2011 - http://www.huffingtonpost.com/2011/05/30/pbs-hacked-tupac-alive_n_868673.html

Sony Makes it Official: PlayStation Network Hacked
4/23/2011 - http://www.pcworld.com/article/226128/sony_makes_it_official_playstation_network_hacked.html
 
New Post
8/23/2011 5:32 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
Hello,
in general any system can suffer from security issues, however what's most important is that processes and procedures are in place to deal with that. DotNetNuke has a dedicated security team (http://www.dotnetnuke.com/Resources/W...) that responds to reports of issues and analyzes any reports sent in by companies (both from tools and penetration tests) and ensures that any bugs are fixed quickly - we get a lot of these (e.g. http://www.dotnetnuke.com/Resources/B...) often benefitting from hundreds of thousands of dollars effort.

In addition we work on adding defensive in depth security protections to ensure that DotNetNuke is protected from common vulnerabilities e.g. we use the HttpOnly paramater on cookies to ensure cross-site scripting attacks cant access cookies, we also have protection against cross-site request forgery's built in at the core level. In addition from it's first days all DotNetNuke core and core module access is via stored procedures meaning that sql injection attacks are not an issue (unless a 3rd party module is added which does direct sql)

The Wiki also has a useful page on secuity best practices - http://www.dotnetnuke.com/Resources/W... which link to some documents to harden installs and other tips.

Thanks,
Cathal
DotNetNuke Security team.
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
8/23/2011 11:24 PM
 
Wes Tatters


Wes Tatters's Avatar

Joined: 4/30/2004
Posts: 2155
It would be fare to say that a large percentage of hacking incidents have a lot more to do with social engineering than the system platform.

By this what I mean is that - if you can find the administrator's birthday or their pets name - you may already have full access to someone's web site.  People all to often use passwords that can be deduced by other people - or that they have actually written down or even in some cases emailed or shared with other people.

Yes there are specific security vulnerabilities that have been uncovered over the years on different systems - and these are pretty much always patched within a relatively short time after their discovery.

But no amount of security patches will deal with an administrator that uses the password - admin or the really tricky admin1234.
You have no idea how many times I've seen that one - a hacking crew can dictionary hack such a site in a matter of seconds.

Westa
 
New Post
8/24/2011 1:27 PM
 
Coder AF


Joined: 11/25/2003
Posts: 187
Well it sounds like an install is only as secure as its 3rd party modules. If a module is coded poorly it could leave the entire installation vulnerable. Is there any way to tell if a module is secure or not before installing it? Does DNN have some sort of rating or module certification type thing to give module purchasers some assurance?

As far as passwords go, what you say is true. I think though that DNN could use a better implementation there ... when users register or change their passwords their authentication information is emailed to them. Not very secure at all ... is there a way to override this functionality?

It'd be better to email the user a link to a place where they could reset their password if they need to and not email them their authentication information at all ...
- GhostTruth.com
 
New Post
8/24/2011 2:30 PM
 
Costas Zividis


Joined: 10/29/2010
Posts: 546
While DNN seems to be secure, personally i feel very unconfortable to have the WHOLE DNN directory with full read/write permissions.

Discover Venice
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How secure is DNN?How secure is DNN?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out