This week, DNN
published information about a potential vulnerability in the Install Wizard feature of DNN. While it will be fully addressed with the release of DNN 7.4.1, the DNN Software Team decided to act proactively and inform the community about this issue ahead of the patch.
Cathal Connolly, writing on behalf of DNN Software, spelled out the reasons for the advance publication of the vulnerability’s existence before the next release.
Connolly writes:
“Normally, we would not provide any advance detail of a security fix as that tends to benefit potential hackers more than users. However, a few days ago we received a report rom a user that one of their sites had been exploited. Based on the information from that user, it seems that their site had been exploited via the same vulnerability. Since that case we had one other report, so it appears that this is being exploited on a limited basis.”
The issue would be classified as “critical,” however, Connolly points out, there is only a small subset of users who would be affected by it.
The quick fix is to delete two files:
• InstallWizard.aspx
• InstallWizard.aspx.cs
If you have any concerns that your site may be affected by this vulnerability, these files may be safely deleted. Managed.com does not use these files in our environment.
While this issue does affect “a small subset of users” of DNN, we want to caution the community that this is not a cause for alarm.
Our own engineers have assessed the issue, and we have contacted the DNN Software Team. We feel confident in their assurance that a very small subset of users are affected by this issue, and the mitigation steps already in place make it unlikely that an affected site could be exploited.
In his
post, Connolly says after the release of 7.4.1, DNN Software will “publish a security bulletin for this issue and will detail the versions of DNN that are vulnerable, as well as [provide] more detail on which configurations are potentially vulnerable.”
As always, if you have any questions about this issue or deleting these files on your DNN site, don’t hesitate to contact a member of our support team.
UPDATE: May 27th, 2016
DNN states that the following files should be removed after DNN is installed:
- DotNetNuke.install.config
- DotNetNuke.install.config.resources
- InstallWizard.aspx
- InstallWizard.aspx.cs
- InstallWizard.aspx.designer.cs
- UpgradeWizard.aspx
- UpgradeWizard.aspx.cs
- UpgradeWizard.aspx.designer.cs
- Install.aspx
- Install.aspx.cs
- Install.aspx.designer.cs
Per DNN, the following steps should be followed after a breach, or in verifying that you have not been breached:
- Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable
- Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
- Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.
Published: May 1, 2015 at 11:35 AM