DNN install wizard vulnerability resurfaces, users encouraged to address immediately


Update to DNN 8.0.3 to close this critical vulnerability

A previously identified critical vulnerability has returned to rear its ugly head within the DNN platform. The issue involving the InstallWizard.aspx file(s), which we first reported on over a year ago, appears to once again be affecting the DNN Community.
By taking advantage of this critical vulnerability, rogue attackers are able to essentially use an exploit to create their own SuperUser accounts on a DNN Installation. After this issue is fully addressed on your own site, our team strongly recommends that you review the host SuperUser accounts page within your DNN admin dashboard to ensure there are no unauthorized accounts on your site.
The vulnerability exists in the Install Wizard feature of DNN, and was supposed to be addressed with the release of version 7.4.1; however, there have been multiple reports this week within the DNN Community and on social media that this is still an issue.
The original fix released by DNN Software was to remove the files:
  • InstallWizard.aspx
  • InstallWizard.aspx.cs
Those files remain after an installation, but are not needed by the CMS and may be safely deleted. Managed.com does not use these files in our environment.

Issue returns, 'critical' DNN security update released

DNN Software has now issued a new critical security advisory on this issue. It appears to be more widespread and potentially more damaging than originally thought.
According to the latest security update, there are several additional files that must be removed.
In a breakdown of the “Issue Summary” for this vulnerability, the DNN Security Team writes:
"Whilst these files are necessary for installation of DNN, they were left behind after the process finishes. Potential hackers can use a specially crafted URL to access the install wizard and under certain circumstances create an additional host user. As such these files need to be removed to protect against security profiling."
Yesterday, DNN Software released DNN version 8.0.3, which is a security fix solely for this issue. If you are able to, users are encouraged to update to version 8.0.3 or Evoq 8.4.2 to mitigate the potential for malicious attackers to use this vulnerability against your site.
If, however, you are not on the DNN 8.x series, or are unable to update due to technical or development reasons, there is a temporary fix you can implement in order to close this issue.
PLEASE NOTE: Even if you had deleted the two files originally outlined last year with this issue, the new “official” temporary fix from DNN Software recommends you delete several additional files to completely close this vulnerability as a vector of attack.

How to close this DNN security vulnerability

According to the security release, the following files under Website Folder/Install should be deleted:
  • DotNetNuke.install.config
  • DotNetNuke.install.config.resources
  • InstallWizard.aspx
  • InstallWizard.aspx.cs
  • InstallWizard.aspx.designer.cs
  • UpgradeWizard.aspx
  • UpgradeWizard.aspx.cs
  • UpgradeWizard.aspx.designer.cs
  • Install.aspx
  • Install.aspx.cs
  • Install.aspx.designer.cs
Additionally, DNN Software has the following recommended cleanup steps after breach
  • Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable
  • Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
  • Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.

The Managed.com Team is here to help

Our team has updated the Managed.com Control Suite software to allow for the proper deletion of the above-outlined files within a DNN installation. If you are using our software to create a new DNN site, you are protected from this critical vulnerability.
The Managed.com programming team updated our software quickly with the release of the new security advisory from DNN Software.
As always, if you have any questions about these issues, or would like the Managed.com team to help you with updating your site, please contact a member of our support team and we will be happy to help.
If you ever have any questions about the current, most secure version of DNN, please check our KB article: DNN / DotNetNuke — Secure and Latest Versions.
Works Cited / For Further Reading:
DNN / DotNetNuke — Secure and Latest Versions. (Managed.com)
Quick workaround for DNN vulnerability. (Managed.com)
Workaround for potential security issue. (DNNSoftware.com)
Critical: Unauthorized users may create new SuperUser accounts. (DNN Security Center)
DNN security alert: rogue host users. (MitchelSellers.com)