Quick workaround for DNN vulnerability that affects 'small subset of users'

UPDATE: We have published a new report on this vulnerability here: DNN install wizard vulnerability resurfaces, users encouraged to address immediately.
 
This week, DNN published information about a potential vulnerability in the Install Wizard feature of DNN. While it will be fully addressed with the release of DNN 7.4.1, the DNN Software Team decided to act proactively and inform the community about this issue ahead of the patch.
 
Cathal Connolly, writing on behalf of DNN Software, spelled out the reasons for the advance publication of the vulnerability’s existence before the next release.
 
Connolly writes:
 
“Normally, we would not provide any advance detail of a security fix as that tends to benefit potential hackers more than users. However, a few days ago we received a report rom a user that one of their sites had been exploited. Based on the information from that user, it seems that their site had been exploited via the same vulnerability. Since that case we had one other report, so it appears that this is being exploited on a limited basis.”
 
The issue would be classified as “critical,” however, Connolly points out, there is only a small subset of users who would be affected by it.
 
The quick fix is to delete two files:
• InstallWizard.aspx
• InstallWizard.aspx.cs
 
If you have any concerns that your site may be affected by this vulnerability, these files may be safely deleted. Managed.com does not use these files in our environment.
 
While this issue does affect “a small subset of users” of DNN, we want to caution the community that this is not a cause for alarm.
 
Our own engineers have assessed the issue, and we have contacted the DNN Software Team. We feel confident in their assurance that a very small subset of users are affected by this issue, and the mitigation steps already in place make it unlikely that an affected site could be exploited.
 
In his post, Connolly says after the release of 7.4.1, DNN Software will “publish a security bulletin for this issue and will detail the versions of DNN that are vulnerable, as well as [provide] more detail on which configurations are potentially vulnerable.”
 
For more information, you can read the complete post on the DNN Community Blog: “Workaround for potential security issue.”
 
As always, if you have any questions about this issue or deleting these files on your DNN site, don’t hesitate to contact a member of our support team.
 

UPDATE: May 27th, 2016

The vulnerability has resurfaced and has been addressed by DNN 8.0.3. DNN 8.0.3 is a critical update, as documented per http://www.dnnsoftware.com/platform/manage/security-center ("2016-06 (Critical) Unauthorized users may create new SuperUser account"). 
 
DNN states that the following files should be removed after DNN is installed:
  • DotNetNuke.install.config
  • DotNetNuke.install.config.resources
  • InstallWizard.aspx
  • InstallWizard.aspx.cs
  • InstallWizard.aspx.designer.cs
  • UpgradeWizard.aspx
  • UpgradeWizard.aspx.cs
  • UpgradeWizard.aspx.designer.cs
  • Install.aspx
  • Install.aspx.cs
  • Install.aspx.designer.cs
Per DNN, the following steps should be followed after a breach, or in verifying that you have not been breached:
  • Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable
  • Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
  • Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.
 
If you ever have any questions about what is the most secure version of DNN, please check our updated KB: DNN / DotNetNuke — Secure and Latest Versions.