May 25, 2016

Updated: DNN Security Alert: Rogue Host Users

It is not often that I will post a security related post here, however, due to recent activity that I have witnessed I need to make an exception to the normal policy here.  In early 2015 DNN Software published a blog article regarding a security exploit that was part of the core DNN code.  The full article can be found on the DNN Software Blog.  Many users have gone through and completed the workaround outlined in the DNN Software posting.  It has been now discovered that many have not completed this step, and in addition, the actual risk is larger than initially expected and requires action by other DNN users for mitigation. 

Potentially Impacted Users

Since initially posting this information it appears that the potentially impacted sites are far greater than initially expected.  It appears that if you are running DNN/Evoq version 7.0.0 or later and do not have a host user named "host" your site could be impacted by the listed vulnerability.  I have confirmed this from DNN Software as well as from assisting customers with issues that have arisen in the past 24 hours.  The listed steps from the above posting are also no longer good enough to resolve the issues, so I've added additional information below on how to resolve. 

Mitigation Steps

Regardless if your site has been impacted or not, it is recommended that you perform the following actions to ensure that your site remains secure.

  • Delete /Install/InstallWizard.aspx
  • Delete /Install/InstallWizard.aspx.cx
  • Delete /Install/UpgradeWizard.aspx
  • Delete /Install/UpgradeWizard.aspx.cs

This will ensure that the initial vector used to gain access is closed.  This applies to ALL DNN 7.0.0 and later users.  

What to Do If You Were Exploited

If you are on a vulnerable version, the first step is to review your SuperUser account list.  This can be found under "Host" -> "SuperUser Accounts."  If you have an account that you do not recognize that was recently created you will want to have a deeper review of your site for potential content issues.  If you do not find any new accounts that you cannot identify you should be ok.

Conclusion

I hate addressing these issues here, but I hope that you ALL will take this information seriously and check your sites.  

tags: DNN, DNN Administration, DNN Install/Upgrade
comments powered by Disqus

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Content Copyright

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.