Yes. DNN Platform is a free, open-source CMS under the MIT License.

What is the tech stack for DNN?

DNN runs on ASP.NET (.NET Framework 4.8+) with Microsoft SQL Server (2017+ or Azure SQL).

DNN Platform is community-led and a member project of the .NET Foundation.

What’s the difference between DNN and Evoq?

DNN Platform is the open-source core that's been wildly popular and adopted for over 20 years. Evoq is a commercial offering maintained by DNN Software (IgniteTech) that builds on DNN.

DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

DNN Security issues

3 Replies

1 Subscribed to this topic

28 Subscribed to this forum

Sort:

Author

Messages

mariorossi4316

New Around Here

Posts: 2

8/26/2020 9:23 AM

Hi everyone, first post.

In the past few months we had some security troubles with our DNN installation, versions 09.04.00 and the current 09.05.00.

Hackers managed to write some html code ( hidden links to xxx sites, for SEO porposes, i think ) in some of the files.
One time in the skin .ascx, then in a script in the header, and so on.
They seem to be very expert in the DNN CMS, as they target very specific files that are not easy to find.

Anyone else is experiencing the same?
Any good advice?

We are updating to the latest version, we hope that will resolve the issue.

Michael Tobisch

Veteran Member

Posts: 1182

MVP

8/26/2020 9:40 AM

There are different scenarios for hacks, one of them are vulnerabilities in Telerik components (that are still there but everyone in the team is trying to get rid of them - which is a lot of work, but it's getting better with every version). For that case I would strongly recommend to upgrade to the latest version.

Another source could be an unsecured FTP access to the server, incl. weak passwords for that. In this case you should consider turning the FTP service off, or to use SFTP with a client certificate. This is still not supported in IIS afaik...

But what if the hacker(s) have an administrative account for DNN? I would change the usernames and passwords of all members of the Administrators role, and suer users (hosts), if possible.

Finally (to have it said): If you find a security issue in a current DNN version, please do not post it here in the forums, but send an email to [email protected] or [email protected].

See also: https://dnncommunity.org/...l-known/security.txt

Happy DNNing!
Michael

mariorossi4316

New Around Here

Posts: 2

8/26/2020 10:38 AM

Thank you for your answer.

We have already done most of the things that you listed
(password changes, Telerik removal, check for unsecure FTP conections).

We'll see how it goes with the new version.
I'll report to [email protected] if we find out any specific security issue.

Timo Breumelhof.

Senior Member

Posts: 1322

Helpful Replier

Lifesaver

New Poster

Engaged Reader

8/27/2020 11:04 AM

Did you also check the editors providers?
You should remove all but the DNN Connect CK Editor IMO.

And you could also have a skin or module with a security issue. (older version of DNN Go skins for instance)

It might also be that they hacked your site in a previous version and installed some backdoors.
You could "hide" this in any aspx / ascx file in principle.

These Forums are for the discussion of the open source CMS DNN platform and ecosystem.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy.
No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
No Flaming or Trolling.
No Profanity, Racism, or Prejudice.
Site Moderators have the final word on approving / removing a thread or post or comment.
English language posting only, please.

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved