Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Checking on a security issueChecking on a security issue
Previous
 
Next
New Post
12/28/2016 2:23 PM
 
chris izatt


Joined: 12/15/2016
Posts: 6
7.4.2 has the same security flaw.

http://www.dnnsoftware.com/community/...

2016-06 (Critical) Unauthorized users may create new SuperUser accounts
Published: 5/26/2016
Background

Whilst installing DNN a number of files are used to coordinate the installation of DNN.

Issue Summary

Whilst these files are necessary for installation of DNN, they were left behind after the process finishes. Potential hackers can use a specially crafted URL to access the install wizard and under certain circumstances create an additional host user. As such these files need to be removed to protect against security profiling.

Pre-condition(s)

The files InstallWizard.aspx and InstallWizard.aspx.cs must exist under Website Root\Install folder.

Fix(s) for issue

To fix this problem, you are recommended to update to the latest versions of the Products - DNN Platform 8.0.3 or Evoq 8.4.2 at the time of writing.

As a temporary alternative, the following files under Website Folder\Install should be deleted:

DotNetNuke.install.config
DotNetNuke.install.config.resources
InstallWizard.aspx
InstallWizard.aspx.cs
InstallWizard.aspx.designer.cs
UpgradeWizard.aspx
UpgradeWizard.aspx.cs
UpgradeWizard.aspx.designer.cs
Install.aspx
Install.aspx.cs
Install.aspx.designer.cs

Recommended cleanup steps after breach

Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable
Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.
Change SQL Server password and update connection string in the web.config of your DNN application. This is needed only when you are using a username and password in the connection string. It's not needed while using Trusted Connection.
 
New Post
12/28/2016 2:28 PM
 
chris izatt


Joined: 12/15/2016
Posts: 6
That exploit goes all the way to this version.

Look at the critical.

Security Center allows you view any security bulletins that might be related to the version of DNN you are currently running.

DNN Platform Version:
2016-08 (Low) Certain keywords in Search may give an error page
Published: 8/20/2016
2016-09 (Medium) Non-Admin users with Edit permissions may change site containers
Published: 8/20/2016
2016-10 (Low) Registration link may be used to redirect users to external links
Published: 8/20/2016
2016-07 (Low) Image files may be copied from DNN's folder to anywhere on Server
Published: 8/20/2016
2016-06 (Critical) Unauthorized users may create new SuperUser accounts
 
New Post
12/29/2016 10:40 AM
 
chris izatt


Joined: 12/15/2016
Posts: 6
chris izatt wrote:
That exploit goes all the way to this version.

Look at the critical.

Security Center allows you view any security bulletins that might be related to the version of DNN you are currently running.

DNN Platform Version:
2016-08 (Low) Certain keywords in Search may give an error page
Published: 8/20/2016
2016-09 (Medium) Non-Admin users with Edit permissions may change site containers
Published: 8/20/2016
2016-10 (Low) Registration link may be used to redirect users to external links
Published: 8/20/2016
2016-07 (Low) Image files may be copied from DNN's folder to anywhere on Server
Published: 8/20/2016
2016-06 (Critical) Unauthorized users may create new SuperUser accounts

 

Sorry forgot the version it goes all the way to v8.0.2. 
 
 Page 2 of 2
Previous12 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Checking on a security issueChecking on a security issue


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out