You only real option is to upgrade to the latest DNN 9 version.
DNN 6.2 is really old and has some known and exploited securIty issues, this is one of them.
You could fix this one issue by uninstalling the RAD editor and installing CKEditor, but this is not the only exploitable issue in DNN 6.

I have found a simple and useful solution to fix the problem. In web.config file add these lines of code:

 location path="DesktopModules"

    system.web

      authorization

        deny users="?" /

      /authorization

    /system.web

  /location

/configuration

These line simply redirect to DNN login form any user which try to access: http://domain.com/Desktop...r/DialogHandler.aspx
or any other DNN module within DesktopModules fodler.

My questions are:
1. Are there any negatives / issues / downsides to this fix?
2. If not downsides - why this simple and effective solution wasn't added in DNN web.config as a rule? I'm far from the idea that nobody in the DNN team didn't know or didn't think about that code.

Thanks, DMitar

An aspx is a file that is intentionally accesible, but in this case there was a security issue in the underlying code.
That would have been fixed if the site was upgraded, in Windows terms, you are using windows 98 right now.
Blocking this folder will make a part of the modules unusable/editable for administrators.
It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).

Timo, thanks for your quick answer!

I tested HTML, Forum and Feedback DNN modules + some custom DNN modules. They're working fine for not logged in users. Also, i tested with DNN host account to change contents of HTML module, to add/edit/delete contents and move around that new HTML module. Everything is working as expected.

--
Blocking this folder will make a part of the modules unusable/editable for administrators.
--
Please, let me know where i can expect problems, so i can test it and try to find a solution. That will be very helpful. If you're not a sure for some modules or functions - just a guess could be valuable!

--
That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).
--
I already have DNN 9.2 version installed but these web projects are already developed and integrated in DNN 6. So, it's not a good option for me to try to upgrade DNN 6 to DNN 9.2 or to migrate the projects from DNN 6 to the DNN 9.2. It's too much work, too much unexpected errors etc. The new projects i do in DNN 9.2.

I don't know what modules could have issues, I don't know what modules you are using and I never tested DNN with the change you made to web.config. Upgrading can be difficult sometimes, but it's the only solution for real safety.

OK, if you have something in mind within DNN, DNN controls or its core modules / official modules concerning this code change in web.config, please let me know! I'll be very thankful :)

 

p.s. I would also recommend to anybody - to upgrade DNN and its modules. 

Posted By Timo Breumelhof on 18 Dec 2019 07:40 AM

Blocking this folder will make a part of the modules unusable/editable for administrators.
It's like barricading your door with concrete to stop people from entering. It might work, but then you can't use the door yourself either any more. That's not a solution on the long term, you need to replace the lock (e.g. upgrade DNN).

Great analogy Timo.  Love your work.

 

 

There's a posting on how to exploit DNN that targeting DialogHandler.aspx
http://www.explosionsquad...-exploit-priv-8.html

Dimitar method seem reasonable for quick fix before upgrading to DNN 9.4

Another exploit that I found is through Telerik.Web.UI.WebResource.axd
Have test it and I'm able to exploit DNN 7 & 8

My quick fix is to replace Telerik.Web.UI.dll with latest one from DNN 9.4