What DNN version? Did you upgrade DNN to the latest version too (you should)?
One of the fixed issues is in the RAD editor (DNN uses CKEditor now)
You should also check all ascx files as they can be compromised too.
I don't think blocking uploads will help you if they are using a vulnerability in an old version of DNN.

 

Hi,

My website is suffering from these same issues.  Did the update resolve it?  I'm upgrading to DNN version 9.6.7.

Thanks,
Kiet

Hi Kiet,

9.6.7 is not enough. Ideally you move towards 9.10.2.
That should not be hard btw as there are not many crucial differences between those versions.
After upgrading, you should remove Telerik components.
https://docs.dnncommunity...k-removal/index.html

Thanks for the quick reply and recommendation!  Is the upgrade path 9.6.7 -> 9.10.2?  My current upgrade path is 

9.1.1 -> 9.3.0 -> 9.6.4 -> 9.6.7 -> ???

 

 

https://docs.dnncommunity...rade-path/index.html

9.3.2 -> most recent

The 9.3.2 is the one where you might encounter impact. Depending on the (amount of) third party extensions. For instance, there was an Newtonsoft issue with DNN Sharp extensions. Speaking of DNN Sharp: they moved as Plant an app towards the concept of Low code. Meaning that s few of their modules is available as stand alone but the majority is part of their low code appbuilder. 
 

Another follow up.  Can I upgrade to 9.10.2 and not remove Telerik?  Looks like I have alot of dependencies identified by the Telerik Dependency Report.  
>>>
 

Telerik Dependency Report

WARNING! Dependencies on Telerik were discovered in assemblies that will NOT be addressed by un-installing per the instructions with 9.8.0. The list below includes all.

• Bring2mind.DNN.Modules.DMX.Core.dll
• Bring2mind.DNN.Modules.DMX.dll
• BusinessNetwork.dll
• Contractors.dll
• DataSprings.Modules.DynamicForms.dll
• DDT_Org_Chart.dll
• DotNetNuke.Modules.FAQs.dll
• dotnetnuke.modules.userdefinedtable.dll
• DotNetNuke.Professional.DigitalAssets.dll
• DotNetNuke.Professional.DocumentLibrary.dll
• DotNetNuke.Professional.DocumentViewer.dll
• DotNetNuke.RadEditorProvider.dll
• EventsCalendar.Components.dll
• EventsCalendar.ControlBase.dll
• EventsCalendar.dll
• EventsCalendar.PromoCodes.dll
• PackFlash.DNN.Modules.MegaDropDown.Admin.dll
• QuickApps.Modules.QuickDocs.dll
• Revindex.Business.Revindex.Revindex.Storefront.dll
• Revindex.Dnn.RevindexStorefront.dll
• Revindex.Web.UI.DynamicControls.dll
• Telerik.Web.Design.dll
• WillStrohl.Modules.ContentSlider.dll

<<<

 

You can upgrade but important issues would remain. My advice would be to do some cleaning.

1. Replace the RadEditor with the CKeditor that is shipped by default with 9.10
2. Remove extensions that are not used.
3. Upgrade extensions to the latest: I can imagine that Revindex for instance has an updated version, independent from Telerik
4. Reach out to Peter Donker (Bring2Mind) and Will Strohl (Upendo) to check what they can do. 
5. For Events, maybe discuss things at https://github.com/DNNCom...DNN.Events/issues/85 
   You might want to consider sponsoring the efforts to get things higher on the priority list. If you look at the discussions, everyone recognizes the need but time is lacking.
6. For extensions that are not maintained anymore, consider alternatives. 

And after all this: get rid of Telerik :-) 

Oy!  Not the answer I wanted to hear but what I was expecting.  Thanks Tycho!  Going from DNN 6.0.2 -> 9.1.1 was brutal so hopefully this won't be as bad.  

Going from DNN 6 to 9.1.1 is like crossing much of the known universe. I hope you are doing a better job keeping up to date!

If you are at 9.1.1, you will likely have some hurdles getting to 9.3.2. From there, though, life should be better. And, really, you should be trying to keep up to date. Except for major security issues (and if you haven't upgraded to 9.10.1 you have security issues) upgrading once a year should be the minimum.

So, follow Tycho's advice. You can't do better than that.