Important DNN / DotNetNuke Evoq 9.0.2 security patch released

 

If left unchecked, vulnerability can be used to cull registration forms for identifiable user data

 
DEDICATED SERVER UPDATE: Our team has implemented a way to apply the patch through Control Suite. If your dedicated server has Control Suite on it, the hotfix security patch has now been applied to your devices.
 
EDITOR’S NOTE: If you host with Managed.com / PowerDNN, and you have a shared hosting plan, we have applied the hotfix for you. If you have a dedicated server, and you do not have Control Suite on it, you will need to contact our team if you would like us to work with you on applying the fix.
 
 
Last night DNN Software put up a new post on their community blog about the DNN 9.0.2 update patch. Quietly released nearly eight days ago (according to GitHub), this was the first public acknowledgment of the issue addressed by this security patch.
 
DNN Software wisely kept the details of the vulnerability somewhat oblique. We feel this was the right call. Particularly in the recent wake of sites that have been impacted by the Zero-Day vulnerability patched in WordPress 4.7.2. Within days of the details of that patch being made public, hundreds of thousands of WordPress sites were targeted, malicious attackers taking advantage of the vulnerability.
 
The WordPress Security Team was even quoted in ZDNet saying they purposely didn’t provide details up front about the exploit. This was in attempt to mitigate the damage done.
 
Similarly, DNN Software has tried to keep the details of this vulnerability low-key.
 

All your user data are belong to us

In the simplest terms, the DNN 9.0.2 patch closes a vulnerability where the DNN registration form data could leak into an unauthorized user’s hands.
 
If exploited, this vulnerability would allow for the pulling of user data from a DNN site. At the minimum, this exploit could be used to pull user email addresses. In some cases it could then be used to further pull a site user’s display name and user name.
 
If your site uses custom or third-party modules for registration forms things can get a little more dicey. We detail this information in our KB article: DNN / DotNetNuke / Evoq — Secure and Latest Versions. (We do keep this document up-to-date, so feel free to bookmark it for future reference.)
 
In that KB, we explain how custom registration forms could be a bigger risk:
 
If you only use the base DNN platform, [the 9.0.2 update] may not be a huge issue. However, someone could potentially scrub a DNN site with this exploit to put together email lists. If you have created custom registration forms, though, this exploit could potentially disclose more important user information. Essentially any information that is asked for in a custom registration from could be puled through this exploit. Consider your individual site, what type of information you ask visitors on your registration forms, and realize that if this exploit is not patched someone could potentially gain access to that data.
 
Keep in mind the level of information you ask for on your site’s registration forms. If they are custom and you ask for identifiable user data, you will definitely want to address this vulnerability as soon as possible.
 
We have outlined how you can apply that fix in our KB: DNN / DotNetNuke / Evoq — Secure and latest versions.
 

Have a shared hosting website with us? You’re covered

As soon as the details of the vulnerability were made available, our team immediately assembled to come up with a solution that would best protect our customers.
 
If you have a shared hosting website plan with us, you’re already protected. We have already begun to implement the hotfix patch at the server level on all of our shared hosting servers. By the time you read this the process will likely already be complete, the hotfix will be applied across our shared server inventory, and your site will be safe from this vulnerability.
 
Our team felt the potential severity of the issue and the exploit warranted us taking extra action to protect you, our customers.
 

Have a dedicated hosting or server plan with us? Contact our team

Due to the often complex and custom nature of our customers’ dedicated servers, we will not automatically apply this fix to your dedicated servers.
 
If you would like our team to do so, please contact our support team and we will be happy to work with you to schedule a time that we can best apply the hotfix to your dedicated server(s) as needed.
 

Any questions? We’re here for you

If you have any further questions about the DNN / DotNetNuke Evoq 9.0.2 security update, don’t hesitate to contact our team.
 
And if you would like to schedule a hotfix application on your dedicated server, feel free to open a ticket or contact us through the normal means.
 
We will work with you to help protect you, your server, and your customers.
 
 

Works Cited / For Further Reading:
DNN / DotNetNuke / Evoq — Secure and Latest Versions. (Managed.com)
9.0.2 release and security patch. (DNN Software)
DNN platform GitHub latest release: 9.0.2. (GitHub)
WordPress: Why we didn’t tell you about a big zero-day we fixed last week. (ZDNet)