Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN Site getting hacked repeatedlyDNN Site getting hacked repeatedly
Previous
 
Next
New Post
10/5/2007 9:36 AM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

amichalo wrote

 Ed DeGagne wrote

 

This is not a DotNetNuke issue, it's an issue with IIS and security settings.

 

 

I beg to differ. It may be an issue with both IIS and DNN, but from what I have seen, there are several DNN sites that have all had this occur. That leaves only a few possibilities:

(1) coincidence

(2) it is an issue with DNN solely

(3) DNN's configuration leads admins to leave IIS vulnerable

None of our Non-DNN IIS websites have been vicitms of these hackers. We have quite similar configurations.

In general I would recommend against discussing security issues in a public forum as it usually does not end up helping the original posted, but does cause unnecessary FUD (fear, uncertainty and doubt) in the rest of the community. I would encourage anyone with an issue such as this to email the security alias at security@dotnetnuke.com where we can discuss the details in greater depth. The original poster has emailed me a few times now and I've given him some pointers (based on his description I believe the issue is the "famous" 3rd party component one described @ http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryID/422/Default.aspx  ). I've also twice asked for copies of his IIS logs as this would allow me to confirm/deny this suspicion but they have not been sent to me (yet). Without them any answer we can give will only be speculation. Over the years I've helped dozens of people with website hacks sent in to the security alias, and in general they fall into 3 categories

1. server not patched correctly. Normally one or more IIS related patches are missing. This is the problem in the majority of cases and can be avoided by simply running windows update regularly.

2. insecure username/passwords. This is the 2nd most common report, and involves either the host and admin accounts or FTP account details (and in one case the user had anonymous FTP enabled). We added code back in 4.4 to s been a while since we had a zero day exploit (i.e. a hack that was discovered in the wild before we knew about it), but there are known and fixed issues in past releases of dotnetnuke. We recommend that you ensure that you run a version that is not prone to any of these issues. You can find more details of the security policy and bulletins @ http://www.dotnetnuke.com/News/SecurityBulletins/Policy/tabid/940/Default.aspx

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
10/5/2007 9:57 AM
 
Jeff Cochran


Joined: 6/3/2005
Posts: 2799

(3) DNN's configuration leads admins to leave IIS vulnerable

I took a look at this, and I'm not convinced this is true but the recommended configuration is not necessarily the most secure.  Not so much in what it recommends as in what it leaves out.  The question then becomes, when is it the application's duty to provide instructions on securing non-application functions?  When you install Internet Explorer it secures IE as well as recommneds security settings.  But it doesn't tell you to test your firewall.  Or patch your operating system.  Should it?

This points out a major flaw in the use of DNN.  Not in DNN, but in the way it is used, often beyond the intended use.  DNN is popular, and being used as a portal instead of just a framework.  Users with little or no IIS knowledge, or ASP.NET or SQL knowledge, can install DNN and get a reasonable site configured.  Then, when there are problems, such as security, they have nowhere to turn other than blaming DNN.  It's really nobody's fault, other than the user not being an expert in multiple disciplines and DNN in not restricting its use to users who have passed qualification testing.  Neither of those is realistic.

Since its inception, DNN has grown to have more of an out-of-the-box ability to be up and running.  Maybe a branch to a version that is just for users to create a site is appropriate.  Probably not.

Jeff
 
New Post
10/5/2007 10:07 AM
 
John Mitchell


www.snapsis.com
Joined: 4/18/2003
Posts: 3987

Keep in mind that you cannot create child portals in DNN unless you give modify permission to the root.

DNN also updates Web.config

Just allowing the anonymous web user to modify the root is not going to cause you to get hacked though.  Although it would be harder if that wasn't the case.  

DotNetNuke Modules from Snapsis.com
 
 Page 4 of 4
Previous1234 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN Site getting hacked repeatedlyDNN Site getting hacked repeatedly


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out