Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...HACK DNN by PHP from Install Folder using aspx filesHACK DNN by PHP from Install Folder using aspx files
Previous
 
Next
New Post
5/27/2016 1:30 AM
 
Armin Rahimian


www.bazaryab.com
Joined: 10/5/2010
Posts: 362

Regarding Following Email and Several DNN hacked, I find php.js in my "ROOT/Resource/Shared/php.js" and I Could Not Delete this fild. How can I delete this file?


In April 2015, we issued a security warningrelated to the DNN install wizard (“InstallWizard.aspx”). The security warning included instructions on how to protect your site. While we issued a patch in May 2015, we recently learned about a new mechanism to exploit this same vulnerability.

This vulnerability is quite severe. It enables an external user to:

Create a new Host account.
Update Host records and tables.
Clear SMTP settings.
Upgrade or alter installed modules.

The following steps are required to safeguard your site against this vulnerability:

Remove the Install.aspx, Install.aspx.cs,InstallWizard.aspx, InstallWizard.aspx.cs, UpgradeWizard.aspx and UpgradeWizard.aspx.cs files from the Website Root/Install folder immediately.
Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable.
Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.

We have also just released Evoq 8.4.2 and DNN Platform 8.0.3 to further mitigate this issue. Evoq customers can download the latest packages from the Customer Support Network. DNN Platform users can download the latest packages fromhttp://dotnetnuke.codeplex.com. Please visit our Security Center for additional information about security issues that have been addressed with each release.

As a reminder, you can always emailsecurity@dnnsoftware.com if you believe you have discovered an exploit or vulnerability.

Sincerely,
Will Morgenweck
VP, Product Management

 
New Post
5/27/2016 11:45 AM
 
Alex_1

Joined: 10/12/2007
Posts: 19

In DNN 7.4.1 in the folder C:\inetpub\wwwroot\MyWebSite\Providers\HtmlEditorProviders\Fck\FCKeditor\editor\dialog\fck_spellerpages\spellerpages\server-scripts

there are 3 files 

 

07/29/2015  11:49 AM             5,538 spellchecker.cfm

07/29/2015  11:49 AM             5,854 spellchecker.php

07/29/2015  11:49 AM             4,927 spellchecker.pl

Do I need to keep them?

 

Thanks
 
New Post
5/27/2016 1:38 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
Alex,
due to security issues, you should uninstall the FCK editor (or manually remove reference from your web.config and delete folder C:\inetpub\wwwroot\MyWebSite\Providers\HtmlEditorProviders\Fck with all its content.
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
5/27/2016 2:29 PM
 
Alex_1

Joined: 10/12/2007
Posts: 19
Sebastian Leupold wrote:
Alex,
due to security issues, you should uninstall the FCK editor (or manually remove reference from your web.config and delete folder C:\inetpub\wwwroot\MyWebSite\Providers\HtmlEditorProviders\Fck with all its content.

How to uninstall the FCK? Please guide me trough.

Thanks.
 
New Post
5/27/2016 4:40 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
in Host > Extensions, check Sections Modules and Providers for "FCK Editor" (not CKEditor) with "uninstall" link.
if not available, edit your web.config and search for "FCK". it should be listed in section htmlEditor, but NOT as defaultProvider (if it is default provider, replace by "DotNetNuke.RadEditorProvider", which should be listed in one of the following lines). Delete Line starting with add name = "fck"
now delete folder /providers/htmleditorproviders/fck with all files and subfolders.
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...HACK DNN by PHP from Install Folder using aspx filesHACK DNN by PHP from Install Folder using aspx files


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out