Hello,
There was a successful hacker attack to our system through a DNN module. I'm using Dotnetnuke 6.02. The logs are showing that the hackers are accessing "GET /DesktopModules/Admin/RadEditorProvider/DialogHandler.aspx ....." Through this forms they're uploading aspx files and other files within DNN folders structure. I think it's not a good idea to post any other details from the logs here, maybe on Personal Message.
Please, advice about:
1. Can do something within DNN configuration to stop this? 2. Is the security issue possibly applied to other DNN version? 3. Can I do some web.config or IIS configuration to stop (restrict) this file / folder, so my DNN instance work fine, but hackers cannot use this security issue. Thanks, DMitar
You only real option is to upgrade to the latest DNN 9 version. DNN 6.2 is really old and has some known and exploited securIty issues, this is one of them. You could fix this one issue by uninstalling the RAD editor and installing CKEditor, but this is not the only exploitable issue in DNN 6.
I have found a simple and useful solution to fix the problem. In web.config file add these lines of code:
location path="DesktopModules"
system.web
authorization
deny users="?" /
/authorization
/system.web
/location
/configuration
These line simply redirect to DNN login form any user which try to access: http://domain.com/Desktop...r/DialogHandler.aspx or any other DNN module within DesktopModules fodler. My questions are: 1. Are there any negatives / issues / downsides to this fix? 2. If not downsides - why this simple and effective solution wasn't added in DNN web.config as a rule? I'm far from the idea that nobody in the DNN team didn't know or didn't think about that code. Thanks, DMitar
An aspx is a file that is intentionally accesible, but in this case there was a security issue in the underlying code. That would have been fixed if the site was upgraded, in Windows terms, you are using windows 98 right now. Blocking this folder will make a part of the modules unusable/editable for administrators. It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).
Timo, thanks for your quick answer!
I tested HTML, Forum and Feedback DNN modules + some custom DNN modules. They're working fine for not logged in users. Also, i tested with DNN host account to change contents of HTML module, to add/edit/delete contents and move around that new HTML module. Everything is working as expected. -- Blocking this folder will make a part of the modules unusable/editable for administrators. -- Please, let me know where i can expect problems, so i can test it and try to find a solution. That will be very helpful. If you're not a sure for some modules or functions - just a guess could be valuable! -- That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN). -- I already have DNN 9.2 version installed but these web projects are already developed and integrated in DNN 6. So, it's not a good option for me to try to upgrade DNN 6 to DNN 9.2 or to migrate the projects from DNN 6 to the DNN 9.2. It's too much work, too much unexpected errors etc. The new projects i do in DNN 9.2.
I don't know what modules could have issues, I don't know what modules you are using and I never tested DNN with the change you made to web.config. Upgrading can be difficult sometimes, but it's the only solution for real safety.
OK, if you have something in mind within DNN, DNN controls or its core modules / official modules concerning this code change in web.config, please let me know! I'll be very thankful :)
p.s. I would also recommend to anybody - to upgrade DNN and its modules.
Posted By Timo Breumelhof on 18 Dec 2019 07:40 AM Blocking this folder will make a part of the modules unusable/editable for administrators. It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).
Blocking this folder will make a part of the modules unusable/editable for administrators. It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).
Great analogy Timo. Love your work.
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.