DNN / DotNetNuke / Evoq — Secure and Latest Versions

DNN
 
 
As a courtesy to our customers, we maintain a list of recent versions and the important security updates for DNN / DotNetNuke. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.
 
Bookmark this KB, and we will continue to update it with the most current secure version information.
 

What is the latest secure version of DNN?

DNN 9.0.2 — Security Update
DNN 9.0.2 is a security update to the platform that patches a vulnerability where, if exploited, would allow for the pulling of user data. At the minimum, this exploit could be used to pull user email addresses. In some cases it could then be used to further pull a site user's display name and user name.
 
If you only use the base DNN platform, this may not be a huge issue. However, someone could potentially scrub a DNN site with this exploit to put together email lists. If you have created custom registration forms, though, this exploit could potentially disclose more important user information. Essentially any information that is asked for in a custom registration form could be pulled through this exploit. Consider your individual site, what type of information you ask visitors on your registration forms, and realize that if this exploit is not patched someone could potentially gain access to that data.
 
Third party registration modules may also be vulnerable, depending on how the module handles registration. In those cases DNN Software's hotfix cannot be applied, and you will need to contact the module vendor / developer for an updated version.
 
DNN's hotfix can be found below, and should be added to the end of the existing /DesktopModules/Admin/Security/Register.ascx file:
<script runat="server">
    protected override void OnLoad(EventArgs e)
    {
        base.OnLoad(e);
 
        if (Request.QueryString["userid"] != null)
        {
            Response.Redirect(DotNetNuke.Common.Globals.AddHTTP(PortalSettings.PortalAlias.HTTPAlias), true);
        }
    }
</script>
This causes a redirect to the portal’s home page if the userid parameter is provided when requesting the registration page. 
 
To see DNN's blog post on the security issue, check out the 9.0.2 Release and Security Patch. You can also checkout the DNN GitHub documentation release here.

Note that the installable hotfix is included under the DNN 9.0.2 release, which will make the above change for you. However, a site running DNN version 9.0.1 or below will need to have the above hotfix applied.
 
DNN 9.0.1 — Security Update
DNN 9.0.1 is a security update that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
 
  • 2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations
  • 2017-02 (Low) Authorization can be bypassed for few Web APIs
  • 2017-03 (Low) Socially engineered link can trick users into some unwanted actions
  • 2017-04 (Low) Unauthorized file-copies can cause disk space issues
 
More information can be found in the DNN 9.0.1 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. Want to see the full release notes? Check out the DNN Platform update documentation here.
 
DNN 9.0.0 — Major Features Update
DNN 9.0 is a huge push forward for the platform. Similar to how Windows skipped numbering for "Windows 9" and jumped right to Windows 10, DNN 9 is full of so many new features that making it DNN 8.1 seemed like a disservice. While in early release status, DNN 9 gives a good indication of the direction the platform is going, with a heavier focus on the Content in "Content Management System," as well as stronger pushes for marketing integrations throughout the platform.
 
The official GitHub release for DNN 9.0.0 can be found here. And if you haven't seen it yet, we recommend checking out the DNN 9 launch video for more information on the direction of the platform: Why Marketing and IT Will Love the New DNN.
 
DNN 8.0.4 — Security Update
DNN version 8.0.4 is a security update for the DNN / DotNetNuke 8.x series that addresses several security vulnerabilities ranked from "low" to "medium" by the DNN Software team. According to the security bulletin, these vulnerabilities include:
 
  • 2016-07 (Low) Image files may be copied from DNN's folder to anywhere on server
  • 2016-08 (Low) Certain keywords in search may give an error page
  • 2016-09 (Medium) Non-Admin users with edit permissions may change site containers
  • 2016-10 (Low) Registration link may be used to redirect users to external links
 
More information can be found in the DNN 8.0.4 security bulletin here, and if you want in-depth information on these security vulnerabilities, you can read a detailed breakdown of each of them in the DNN Security Center here. If you'd like to do a deep dive into the full release notes, check out the DNN Platform 8.0.4 update documentation here.
 
DNN 8.0.3 — Security Update
DNN version 8.0.3 is an important security update that addresses — once again — the issue with the InstallWizard.aspx file(s) which was first identified and classified as "critical" in May, 2015. We first reported on this issue more than a year ago; however, recently the issue has cropped up again and is affecting several people in the DNN community and their DNN sites.
 
Whether a full recursion or not, it is important to note that this is still an issue. If you have not updated your site and followed the recommended best practices we have outlined, please do so to help close this critical vulnerability on your sites. You can read our original article on the issue here, which our team has updated to include the latest information on how to combat this problem.
 
This is an active issue. For more information, we have written an article on how to address this issue here: DNN install wizard vulnerability resurfaces, users encouraged to address immediately.
 
DNN 8.0.2 — Security Update
DNN version 8.0.2 is an important security update that addresses a recently identified vulnerability in the DNN 8 core. With a severity classified as "Critical" by DNN Software, this exploit could allow unapproved file uploads by unauthenticated users. This vulnerability affects the following versions: DNN Platform 8.0, DNN Platform 8.0.1, Evoq 8.3, Evoq 8.4 — if you use any of those versions, it is strongly recommended that you update immediately to mitigate the possibility of malicious attacks. Updating to the latest versions — DNN Platform 8.0.2 or Evoq 8.4.1 — will patch this vulnerability. For more information, read the official security release announcement here.
 
DNN 8.0.1 — Security Update
DNN 8.0.1 is a security release to the DNN 8x series. This minor update addresses three identified vulnerabilities classified as "Low" on the potential threat scale, and one classified as "Critical." The critical vulnerability involves a "Potential CSRF issue on WebAPI POST requests." More information on the 8.0.1 release can be found on the official security bulletin here.
 
DNN 8.0 — Major Update*
DNN 8 is a full-version upgrade to the popular DNN / DotNetNuke platform. Described as "a major leap forward for DNN" by DNN Software, this version takes a step away from the past while working toward the future. As part of that cleanup, the decision was made to remove many old features of DNN that are no longer used, to that end, the following have been removed from DNN core in the 8x series: SiteLog, UsersOnline, Newsletter Module, Vendors/Banners Modules, ASP2MenuNavigationProvider, DNNMenuNavigation Provider, DNNTreeNavigationProvider, RequestFilter, Widget Framework, and Users Online. Some of the removed features will be moved to GitHub for use by the community.
 
DNN 8 has a strong focus on improving the overall performance of the platform. Bottlenecks were addressed, static files are now handled differently, and load has been addressed to improve performance; particularly with changes implemented to ensure the best handling of ASP.Net code vs. static code.
 
For more information on DNN 8, read the official release announcement here, or consult the CodePlex release here.
 
*NOTE: While the DNN 8x series is the most current major release of the DotNetNuke platform, the Managed.com and PowerDNN team — along with the DNN community — has noted several issues in DNN 8 that should give someone pause before a full update is considered. Yes, our team can help you with your DNN upgrades; however, before making the jump into DNN 8, we recommend you read our knowledge base article: DNN 8 - Features and Breaking Changes. For more information, see the note in our 7.4.2 version log below.
 
DNN 7.4.2 — Maintenance Update*
DNN 7.4.2 picks up where 7.4.1 left off in stabilizing the 7.4.x series. Version 7.4.2 fixes multiple issues, including: lists in custom registration forms, ignore words in Italian and French, multi-language site rules, malformed URL return parameters, corrections to SSL offload environments, and an issue where site settings could be duplicated. More information on the 7.4.2 release can be found here.
 
*NOTE: The DNN 7.4.2 release is regarded as the most stable version of the DNN / DotNetNuke platform. Our team can certainly perform an upgrade to DNN 8 for you; however, there are several major changes within the platform that you should consider before deciding to update your site. Due to the multiple issues identified in the DNN 8x series, we recommend you familiarize yourself with the changes our team has outlined in our knowledge base article: DNN 8 - Features and Breaking Changes.
 
If, however, you are a professional developer or seasoned DNN / DotNetNuke pro, and you feel comfortable with it, then go for it — knowing full well you may have some complications to overcome. If you are unsure or hesitant about what affects DNN 8 may have on your existing site, we recommend updating no further than 7.4.2 at this time. All Managed.com and PowerDNN customers may, of course, open a ticket to speak with our support team about updates.
 
If you are building a new site from the ground up, however, you are fine to use the most current, secure version of the DNN 8x series. Many of the breaking complications come up through updating a site, and do not seem to be present if building a new DNN 8 site from scratch.
 
DNN 7.4.1 — Maintenance Update
DNN 7.4.1 is intended to be solely a stabilization update that is intended to address the bulk of the issues found in 7.4. More info about 7.4.1 can be found here.
 
DNN 7.4 — Features Update
While DNN 7.4 has been released, our engineers are not actively recommending it at this time. Due to several errors and technical issues discovered since it's release, we are still maintaining DNN users stick with version 7.3.3 for stability and usability reasons. If you are an experienced DNN developer, you may feel perfectly comfortable upgrading to 7.4. More information on DNN 7.4 can be found here and here.
 
DNN 7.3.3 — Maintenance Update
DNN version 7.3.3 is a maintenance release that addresses several fixes in the DNN / DotNetNuke core. Items addressed include: an issue where notifications were not updating properly, issues with upgrades failing, a minor security issue, and several other tweaks and enhancements. For more information on the 7.3.3 release, view the highlight notes here.
 
DNN 7.3.2 — Maintenance Update
DNN version 7.3.2 includes several new features, such as fixing several skin issues, CDN settings for JavaScript libraries, and the tricky runaway thread issue that caused high CPU usage. We fully support this version and have cleared it for use by our team of DNN / DotNetNuke experts. For more information on the 7.3.2 release, view the highlight notes here.
 
DNN 7.3 — Insecure
While DNN 7.3 includes many new features, our team of engineers — and the DNN / DotNetNuke Community — has found numerous issues with this update. While these errors are not "full regressions," they do potentially pose a problem to your DNN site. Our recommendation is to wait for DNN 7.3.2. You can find out more about our reasons here.
 
DNN 7.2.2 — Security Update
DNN 7.2.1 is a significant upgrade and includes a number of excellent new features for DotNetNuke. We recommend existing DotNetNuke websites upgrade immediately for new features, performance enhancements, bug fixes, and additional security protections. DNN 7.2 includes an updated SQL module, JavaScript Library Management, enhanced search, and many other improvements. For a full list of changes, see the 7.2 release notes here.

DNN 7.2.1 — Security Update
This version of DNN was released only six weeks after 7.2, and includes "significant value in the areas of security, performance, and user experience." Full details for the 7.2.1 update can be found in the release notes here. DNN 7.2.2 includes maintenance tweaks and new features for users. More information can be found here.

DotNetNuke 6.2.8
DotNetNuke 6.2.8 makes your website social. You can build social communities using new features such as Facebook Login, Social Groups, Member Directories, Activity Feeds, and much more.  DotNetNuke 6.2.8 has been thoroughly tested and is recommended for production.
 
DotNetNuke 6.x
If you are running a DotNetNuke 6.x release prior to version 6.2.8, we recommend upgrading to patch security issues.

DotNetNuke 5.6.8
While DotNetNuke 5.6.8 is a stable and secure version, DotNetNuke Corporation no longer actively enhances it. Customers who run DotNetNuke 5.6.8 should consider upgrading in the near future.
 

Don't See Your Version Here? You Need To Upgrade
If you do not see your version of DNN / DotNetNuke here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of DotNetNuke may contain critical security vulnerabilities.

Add Feedback