Vulnerabilities with Fckeditor and Older Versions of DotNetNuke.

Issue

Your site has been hacked and you are running an older version of DotNetNuke. FCKeditor is the default text editor used by earlier versions of DNN.  It's a WYSIWYG editor which means the text being edited with it looks as similar as possible to the published version of the text. 

Cause

DNN uses rich text editor controls in a variety of modules. The application uses a provider model to allow this functionality to be easily replaced with controls of the users choice, including default support for the FCKeditor controls.  These rich text editor controls typically leverage the DNN URL control to provide a convenient method for selecting URLs, pages, and files for the portal. In the files area, there is also the ability to upload files from your client machine. Once selected, the files are passed to the DotNetNuke API which handles the saving of the file, including services such as the ability to store in a secure file system or secure database.

The logic for both the URL control and the file system API was missing some security validation in DNN versions prior to 4.9.5. It assumed that any input passed from a rich text editor control was valid, and did not revalidate the folder permissions. In addition, it had flawed logic which allowed a user to write files to folders for which they only had read access. A hacker can use these two flaws in combination to upload files to folders for which they should not have access to. Since by default in most DNN portals anonymous users have read access to all folders beneath the Portals home directory, the logic flaw allowed a user to upload a file to any folder under this directory. There have been certain hacker groups that are actively exploiting the vulnerabilities in these older versions of DNN.

Resolution

If you are running an old DNN website it is vulnerable and may have already been compromised.  You will need to upgrade your site to a secure version of DNN as soon as possible. Please open a support ticket to request an upgrade to the latest version of DNN.

If you are unsure which version of DotNetNuke your site is currently running please follow the steps below.

1. Log into your website as Host.
2. Navigate to Host > Host Settings
3. Your DotNetNuke version will be listed.

If your version begins with 05.xx.xx, 5.x.x, 06.xx.xx, or 6.x.x then this issue does not apply to you.