Form Builder. A malicious user can send Mitigating factors It is recommended that ALL users validate their allowed file types setting to ensure dynamic file types are excluded. 9.1.1 at the time of writing. To fix this problem, you are recommended to update to the latest versions of the Products - DNN Platform 9.0.2 or EVOQ 9.0.2 at the time of writing. To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing). Mitigating factors, If an incorrect username/password is used, then the page reloads and to help fix the incorrect detail renders the entered details. This could allow a malicious user to execute Javascript or another client-side script on the impacted user's computer. When an unauthenticated user arrives at a site and attempts to access a protected resource they will be redirected to the correct login page. DNN Platform 9.6.0 was released with 3.5.0 included, and 9.6.1 was released with jQuery 3.5.1 after they released an urgent update. As new features are implemented, older providers may remain, even if not used. and not possible to accomplish without users clicking on the phishing link. Whilst installing DotNetNuke a number of files are used to coordinate the intallation or upgrade of a portal. Antiforgery tokens feature to prevent tampering of web requests and preventing A malicious user must know which API to utilize and send a specially crafted request to the site. AmnPardaz Security Research & Penetration Testing Group. As this page can be cached in a browsers temporary internet files, and the rendered password may have been close to the actual password (e.g. Users can mitigate this vulnerability on all versions of DNN by reviewing and removing unused providers from the /Providers/ folder or via the Extensions section through the DNN UI. As always, do not trust updates. the Antiforgery checks may not be checked in Web API calls. 1. If your site contains a controlled set of users i.e. The user messaging module is only available to logged in users. To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.4/4.3.4 at time of writing). security@dnnsoftware.com There are two very specific security settings that we set immediately. the log-in experience, where a user can be sent to a specific landing page There are a number of places where the ClientAPI did not encode the contents of data passed to it, and echoed it back to the client. • The original reporter does not wish to claim credit. DNN thanks the following for identifying this issue and/or The lists module does not correctly sanitize the name(s) of list/sublists - this can lead to a reflective cross-site scripting (XSS) issue. These include both encoding and encrypting data to ensure it isn't tampered with. If you have additional users the risk of user permission escalation or impersonation exists. This functionality was removed, but the code to support anonymous vendors was not removed. Go to User Mapping, and check the DNN database and the db_owner role. Mitigating factors Services Provided. Depending on the user configuration, mails may always go to the correct user. In addition this only affects installations which use "deny" permissions at the folder level. Therefore, for safety reasons you need to upgrade this assembly to Antiforgery tokens feature to prevent tampering of web requests and preventing Sites that have enabled private registration NOTE: An upgrade will NOT automatically resolve this issue. If you want you might change the Default Database to the DNN database in use (not necessary). This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. DotNetNuke user and profile properties fields support an extended visibility property to determine if fields are available to all, members, friends/followers or admin only. This issue is only apparent with specific configurations of DNN Installations and the information obtained would already be known by a malicious user as part of the act of discovery. This support comes through an assembly Alvaro Muñoz (@pwntester) and Oleksandr Mirosh from Hewlett-Packard Enterprise Security, To fix this problem, you can Users can share some content with other users in a DNN site and can include images in their posts. As such the greatest danger exists for sites that use sql server express user instances, as no user credentials are required, and the instance name is predictable. Mitigating factors. Then they must submit crafted requests to target this vulnerability. DotNetNuke supports using parameters to change the current skin, to allow users to preview skin files and also to dynamically load functions on request. The Web APIs can 2. distributions don't have any code utilizing the code that causes this To fix this problem, you are recommended to update to the latest versions of the DNN (9.2.0 at the time of writing). A malicious user must Newer installations are NOT vulnerable, however, an upgrade does NOT mitigate this risk. A cross-site scripting issue is an issue whereby a malicious user can execute client scripting on a remote server without having the proper access or permission to do so. MVC that comes in ASP.NET in 2016. During the process of rewriting the code to extend the Profile component, an authorization issue was introduced that could allow a user (including anonymous users) to access another users profile. links. The application uses a provider model to allow this functionality to be easily replaced with controls of the users choice, including default support for the popular FTB and FCK editor controls. Users would have to be fooled into clicking on a link that contained the invalid viewstate. Code has been added to close this authentication blindspot. It is not possible to do this with details from one instance (i.e. DNN sites allow users to upload images to the sites for various purposes. This support comes through an assembly In order At this point in time, there is no known patch for prior versions.. DNN Platform Versions 6.0.0 through 9.3.2. To remediate this issue and upgrade to DNN Platform Version (9.4.1 or later) is required. A malicious user must know which API to utilize and send a specially crafted request to the site. Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community. You can find those packages available here along with a read-me for more details. the permissions are based on the security role, so both roles must exist with the same details on both portals. The DNN Community would like to thank the following for their assistance with this issue. are the same as discussed in the above link.. For further details, you can DotNetNuke (DNN) in the Enterprise in 2020. vulnerability. Alternative 1: To fix this problem, you are recommended to update to the latest version of DotNetNuke (3.3.7/4.3.7 at time of writing). The FileSystem API performs a verification check for "safe" file extensions. They must also induce a different user to click on a URL that contains both the location of a trusted site and the malicious content. An XML External Entity attack is a type of attack against an application that parses XML input. As this can be used to create an XSS, and this XSS is then persistant, this issue has been elavated to a "medium" issue. Whilst installing DotNetNuke if an error occurs, as the custom error handling system may not be in place a redirect is performed to an error handling page. Determines which site content or settings the user has access to. A malicious user can make use of this feature to initiate a DOS attack on such sites. Then they must submit crafted requests to target this vulnerability. This is the recommeded fix. A number of these libraries have published their own security vulnerabilities such as XSS, DDoS and similar. This process could overwrite files that the user was not granted permissions to, and would be done without the notice of the administrator. DNN added support for This information could be useful to hackers attempting to profile an application. Analytics. The DNN Platform Upgrade Service provides three critical features to those that have opted in to the service. This exploit relies on SQL scripts being located in a specific default installation location for the DotNetNuke application. of the Products – DNN Platform Version 9.2.2 or EVOQ 9.2.2 at the time of To do this it uses a name/value pair as part of the request, which is echoed to the form action attribute to ensure that any actions post to the correct page. Only a few Web APIs were accessed anonymously as well. A bug was fixed in the existing Captcha control that allowed a single cracked captcha to be reused for multiple user registration. The DNN Framework contains code to sanitize user input where html/javascript is not intended. It is recommended to upgrade to the newest DNN Version to take advantage of these fixes. upgrade to the latest versions of the Products - DNN Platform 9.1.1 or EVOQ If you see suspected issues/security scan results please report them by sending an email to: The issues have been identified, however, there is no appearance of public exploitation. This vulnerability is available when running the web site under .NET Framework 4.5.1 and earlier. after login. Each bulletin includes details about the issue, the affected DNN versions, and suggested fixes or workarounds. Due to a weakness is validating the user identity it is possible for a potential hacker to access other user's account leading. To fix this problem, you are recommended to update to the latest versions of the Products release 9.2.0. DNN does Cons. However a weakness in the code means that a potential hacker can stop the redirect and gain access to the functions available to portal admins and host users. Using the DNN’s redirect Additionally, interactions are still bound by all other security rules, as if the module was placed on the page. To fix this problem, you can (It is believed this may affect 3.x and 4.x installations as well, but has not been verified). As DNN is using the MVC assembly upgrade to the latest versions of the Products - DNN Platform 9.1.1 or EVOQ Security DNN receives security updates on a regular schedule, and all information is stored on an encrypted database. However, at that point the user can tell by the error message if the user account they tried to access is a standard user or a superuser. to spoofing, data theft, relay and other attacks. This approach is seen throughout the DNN administrative interface, and is intended to be used similarly in custom module development. Mitigating factors DNN provides file-type restrictions which limit the ability for this to vulnerability to allow file uploads. Background the malicious user must entice other non-suspecting users to click on such a During installation or upgrade DotNetNuke runs through database scripts in sequence to create the database schema and insert various pieces of data. Another solution will be to prevent such sharing by preventing all sharing activities in the site. There is a small possibility that information in these files could prove useful to a potential hacker. A failure to sanitize the “returnurl” query string parameter can mean an open-redirect or cross-site scripting (XSS) issue occurs. upgrade to the latest versions of the Products - DNN Platform 9.1.1 or EVOQ are the same as discussed in the above link.. For further details, you can Only one specific cookie was found to be Whilst these files are necessary for installation/upgrade of DotNetNuke, they are left behind after the process finishes. The code has been refactored to filter the input to ensure that cross-site scripting attacks cannot occur. Newly These APIs have the abilities to make very minor system settings updates, This issue is only possible on portals within the same website instance i.e. DNN Platform & Security Notices. malicious user may be able to perform XSS attacks. The registration forms usually have only a handful of such properties defined. To fix this problem, you are recommended to update to the latest versions of the Products - DNN Platform 9.0.1 or EVOQ 9.0.1 at the time of writing. A potential hacker must have a valid, authorized user account on the DotNetNuke portal so that they can then attempt to access other users functions. If you are able to, users are encouraged to update to version 8.0.3 or Evoq 8.4.2 to mitigate the potential for malicious attackers to use this vulnerability against your site. This issue only allows for the existence of a folder to be confirmed and does not allow the user to upload to that folder (a further check is made before allowing write to the folder). Upgrading to DNN Platform version 9.6.0 or later is required to mitigate this issue. In addition they support regular expressions to allow sites to configure the allowable characters. a "denial of service" attack. Check your web.config file. Site administrators/Host users would have to be induced to click on a link to their website that contained the XSS code. The member directory fails to apply these checks to a number of fields. Note: We recommend users install http://www.dnnsoftware.com/community-blog/cid/155214/dnn-security-analyzer as it will automate the deletion of these files, as well as provide additional security functionality. Fix(s) for issue features, a malicious link can send users to outside of the current site This vulnerability allowed for potential hackers to enable access to functionality intended only for administrators/superusers i.e. Microsoft released an Mitigating factors. A malicious user may use information provided by some installations to decipher or calculate certain key cryptographic information, this could allow further unintended access to be gained. If the site owner had intended to block access to that user permanently they should use the "hard-delete" function or use the unauthorized checkbox, but in some cases sites may not be aware of the "soft-delete" function and this would allow unwanted users to recreate their account The new user accounts cannot be created via the UI - they require the spammers to capture the page and reuse asp.net's event validation to work around the failure to recheck the logic before creating the user. To remediate this issue and upgrade to DNN Platform Version (9.4.1 or later) is required. To fix this problem, you are recommended to update to the latest version of DNN (7.4.1 at time of writing). A potential hacker could generate a custom URL which contained an invalid viewstate value, composed of an XSS attack. Note: Whilst not a mitigation, the identification of the operating system of a website is a trivial action with a number of websites/tools offering tools which probe and identify operating system's accurately. This is the recommended manner to guarantee file security for confidential documents as it is the only method that provides a secure file check at download. The update needs to be installed on all sites that use Action Grid and have a DnnSharp.Common.dll (in /bin) file version smaller than 5.0.220. An XML External Entity attack is a type of attack against an application that parses XML input. A malicious user must Due to the nature of the elements included, and their usage with DNN Platform an upgrade to DNN Platform 9.5.0 or later is the only resolution for this issue.. For websites with user registration enabled, it is possible for a user to craft a registration that would inject malicious content to their profile that could expose information using an XSS style exploit. Browse the whole category Integration. It is DotNetNuke has a custom errorpage for handling displaying information to users. To fix this problem, you are recommended to update to the latest version of DotNetNuke (4.8.3 at time of writing). Please note, you will also have to remove the existing FTB editor and associated dll's i.e. Code has been added to stop this happening. To fix this problem, you are recommended to update to the latest version of DotNetNuke (6.1.3 at time of writing), If demo portals are enabled, and an incorrect username/password is used, then the page reloads and to help fix the incorrect detail renders the entered details. A malicious user must know that a DNN site is hosted in an IIS server which is configured to direct to all incoming traffic to this site, and must know what the exact URL to target this sites is. Security Bulletins. special requests to utilize this vulnerability. DNN thanks the following for identifying this issue and/or working with There are a number of substantial mitigations for this issue: The install wizard has code which evaluates the database and assembly versions to determine if an upgrade is required. If using the CKEditor, no update necessary. DNN provides a user account mechanism that can be used to register users in the system. Two areas have been altered to fix issues where more information that was necessary was made available. Whilst installing DotNetNuke a number of files are used to coordinate the installation of DNN. All other checks such as extension checking occur as expected, sites must have more than 1 language enabled, sites must be using core language skin object. Sites that have the viewstate encrypted are protected against accessing failed user uploads. The users must be lured to click on such If your site has a dnnsharp.common.dll file version of 5.0.220 or bigger means the security issue is already fixed and no other action needs to … The upgrade process a page redirect to an IFRAME. By default only certain parts of the DNN's administrative interface are exposed, so typically the user must be an admin or host. All DNN sites running any version from 9.0.0 to 9.1.1. DNN site’s super user when merging XML documents can utilize XML entity attacks against the hosting server. displayed. For a CSRF to work against a different user it requires that the user is logged in - by default DotNetNuke does not use persistent cookies so this will not always be the case. Anonymous user can discover some or most of the profile properties from a DNN site due to a vulnerability present in DNN. As a temporary alternative, the following files under Website Folder\Install should be deleted: Per design DNN allows authorized users to upload certain file-types Multiple issues have been identified that could allow a user to remotely execute a Denial of Service attack, or to utilize cross-site-scripting techniques to modify data within the DNN Platform environment. In DNN when a user tries to access a restricted area, they are redirected to an “access denied” page with a message in the URL. A malicious user may utilize a process to include in a message a file that they might not have had the permission to view/upload, and with the methods that the DNN File system works they may be able to gain access to this file. a specific script to communicate with the victim window in a way that can lead Sites that do not grant these permissions to users, or do not use the freetexteditor implementation of the html editor provider are not vulnerable to this issue e.g. typically do not see this issue as the site administrator will not authorize the spam accounts. Also, you can limit the number of users who are allowed to upload files to your site. does not delete these files and they need to be deleted manually. The “Onclick” trigger and the “prompt” command are not filtered properly and JavaScript gets executed. Background bindings in the “web.config” file for this new assembly if you are not DNN products use role-based authorization to … Also, the user exploiting this should be logged in as a super user to be able to initiate the attack. To protect against attacks that attempt to use invalid URL's, users can install the free Microsoft URLScan utility(http://www.microsoft.com/technet/security/tools/urlscan.mspx). DNN added support for DNN has identified a security vulnerability in a third-party component suite in use in all DNN products which they announced today, June 21, 2017. 1. MVC that comes in ASP.NET in 2016. This does not effect sites that have disabled registration. If you see suspected issues/security scan results please report them by sending an email to: sites where a user is both admin and host user and no other users exist), then this is not an issue. A malicious user must know that a DNN site is hosted in an IIS server which is configured to direct to all incoming traffic to this site, and must know what the exact URL to target this sites is. DNN contains a tab's control that allows for content to be organised under clickable tabs. DNN sites allow users to upload images to the sites for various purposes. Some .aspx files might be required for your site. Whilst installing DNN a number of files are used to coordinate the installation of DNN. To fix this problem, you are recommended to update to the latest versions of the DNN (9.2.0 at the time of writing). No usage of this was found in platform, or any of the modules shipped with it. Full details for the 7.2.1 update can be found in the release notes here. The function fails to validate for illegal values and can be abused to load invalid files. 9.1.1 at the time of writing. allow security feature bypass if an attacker convinces a user to click a A malicious user may use information provided by some installations to decipher or calculate certain key cryptographic information, this could allow further unintended access to be gained to the application. DNN provides a number of methods that allow users to manipulate the file system as part of the content management system functionality that is provided. end points. Whilst this password is not visible, it can allow a potential hacker to access the password so the field has been marked to ensure that it will not be automatically filled. A malicious user must To fix this problem, you can The malicious user must know the specifics of the SVG to initiate such attacks and must lure registered site users to visit the page displaying the uploaded SVF file. For the 3.3/4.3 releases of DotNetNuke, the membership/roles/provider components were significantly overhauled to allow better granularity of control, and to allow us to make a number of enhancements.
2020 dnn security updates