DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

Security Issue: Hacked by accessing module: DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx

 10 Replies
 2 Subscribed to this topic
 31 Subscribed to this forum
Sort:
Page 1 of 212 > >>
Author
Messages
New Around Here
Posts: 4
New Around Here

    Hello,

    There was a successful hacker attack to our system through a DNN module. I'm using Dotnetnuke 6.02. The logs are showing that the hackers are accessing "GET /DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx ....." Through this forms they're uploading aspx files and other files within DNN folders structure. I think it's not a good idea to post any other details from the logs here, maybe on Personal Message. 

    Please, advice about:

    1. Can do something within DNN configuration to stop this?
    2. Is the security issue possibly applied to other DNN version?
    3. Can I do some web.config or IIS configuration to stop (restrict) this file / folder, so my DNN instance work fine, but hackers cannot use this security issue.

    Thanks, DMitar

    Veteran Member
    Posts: 1162
    Veteran Member

      You only real option is to upgrade to the latest DNN 9 version.
      DNN 6.2 is really old and has some known and exploited securIty issues, this is one of them.
      You could fix this one issue by uninstalling the RAD editor and installing CKEditor, but this is not the only exploitable issue in DNN 6.

      New Around Here
      Posts: 4
      New Around Here

        I have found a simple and useful solution to fix the problem. In web.config file add these lines of code:

         location path="DesktopModules"

            system.web

              authorization

                deny users="?" /

              /authorization

            /system.web

          /location

        /configuration

        These line simply redirect to DNN login form any user which try to access: http://domain.com/Desktop...r/DialogHandler.aspx
        or any other DNN module within DesktopModules fodler.

        My questions are:
        1. Are there any negatives / issues / downsides to this fix?
        2. If not downsides - why this simple and effective solution wasn't added in DNN web.config as a rule? I'm far from the idea that nobody in the DNN team didn't know or didn't think about that code.

        Thanks, DMitar

        Veteran Member
        Posts: 1162
        Veteran Member

          An aspx is a file that is intentionally accesible, but in this case there was a security issue in the underlying code.
          That would have been fixed if the site was upgraded, in Windows terms, you are using windows 98 right now.
          Blocking this folder will make a part of the modules unusable/editable for administrators.
          It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).

          New Around Here
          Posts: 4
          New Around Here

            Timo, thanks for your quick answer!

            I tested HTML, Forum and Feedback DNN modules + some custom DNN modules. They're working fine for not logged in users. Also, i tested with DNN host account to change contents of HTML module, to add/edit/delete contents and move around that new HTML module. Everything is working as expected.

            --
            Blocking this folder will make a part of the modules unusable/editable for administrators.
            --
            Please, let me know where i can expect problems, so i can test it and try to find a solution. That will be very helpful. If you're not a sure for some modules or functions - just a guess could be valuable!

            --
            That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).
            --
            I already have DNN 9.2 version installed but these web projects are already developed and integrated in DNN 6. So, it's not a good option for me to try to upgrade DNN 6 to DNN 9.2 or to migrate the projects from DNN 6 to the DNN 9.2. It's too much work, too much unexpected errors etc. The new projects i do in DNN 9.2.

            Veteran Member
            Posts: 1162
            Veteran Member

              I don't know what modules could have issues, I don't know what modules you are using and I never tested DNN with the change you made to web.config. Upgrading can be difficult sometimes, but it's the only solution for real safety.

              New Around Here
              Posts: 4
              New Around Here

                OK, if you have something in mind within DNN, DNN controls or its core modules / official modules concerning this code change in web.config, please let me know! I'll be very thankful :)

                 

                p.s. I would also recommend to anybody - to upgrade DNN and its modules. 

                Growing Member
                Posts: 47
                Growing Member
                  Posted By Timo Breumelhof on 18 Dec 2019 07:40 AM

                  Blocking this folder will make a part of the modules unusable/editable for administrators.
                  It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).

                  Great analogy Timo.  Love your work.

                   

                   

                  New Around Here
                  Posts: 19
                  New Around Here
                    There's a posting on how to exploit DNN that targeting DialogHandler.aspx
                    http://www.explosionsquad...-exploit-priv-8.html

                    Dimitar method seem reasonable for quick fix before upgrading to DNN 9.4
                    New Around Here
                    Posts: 19
                    New Around Here
                      Another exploit that I found is through Telerik.Web.UI.WebResource.axd
                      Have test it and I'm able to exploit DNN 7 & 8

                      My quick fix is to replace Telerik.Web.UI.dll with latest one from DNN 9.4
                      Page 1 of 212 > >>

                      These Forums are dedicated to the discussion of DNN Platform.

                      For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

                      1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
                      2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
                      3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
                      4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
                      5. No Flaming or Trolling.
                      6. No Profanity, Racism, or Prejudice.
                      7. Site Moderators have the final word on approving / removing a thread or post or comment.
                      8. English language posting only, please.

                      Would you like to help us?

                      Awesome! Simply post in the forums using the link below and we'll get you started.

                      Get Involved