Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

About

News Press Releases News Coverage Press KitCareersContact DNN

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


New Release of DNN Security Analyzer

Jul 25

We are delighted to have another release of Security Analyzer module - version 8.1. The main purpose of this release is to protect websites from the recently published security vulnerability "2017-08 (Critical) Possible remote code execution on DNN sites". More details about the vulnerability can be found at our Security Center https://www.dnnsoftware.com/community/security/security-center.

2017-08 (Critical) Possible remote code execution on DNN sites

We applied the first fix to this issue in DNN and Evoq versions 9.1.1, however, upon further investigation, we discovered the need for additional tightening, which is why we are releasing an updated version of this tool with a complete fix for the problem. This issue is a critical one, and goes back to several versions of DNN including version 5.0 and above. You are strongly advised to apply this immediately.

Supported Versions

The tool supports DNN and Evoq versions 5.6.2 and above, including .Net Framework 3.5. Sites running DNN or Evoq versions 5.6.2 up until DNN or Evoq 9.1.1 must apply this tool immediately. As always, it's best to install in a test environment prior to doing so in production.

Other Changes

We have made a few more updates to the tool also.

Telerik Security Detection


We are able to warn if Telerik security fix (also known as critical security fix June-2017) was not applied. If you see the red X like the screenshot above, you must install the appropriate security patch along. If your site is running version 7.1.2 to 9.1.0, you need to visit the Critical Security Update page and install the Security Analyzer. If your site is running version 5.2 to 7.1.1, you need to visit the Critical Security Update for Older Versions page and install the Security Analyzer.
There are three checks done here:
  • The Bin folder has the right version of Telerik.Web.UI.dll file in the Bin folder
  • The web.config has an entry for Telerik.AsyncUpload.ConfigurationEncryptionKey
  • The web.config has an entry for Telerik.Web.UI.DialogParametersEncryptionKey


The above two entries can be ANY value. Make sure it's longer than 64 characters. More details about the two keys can be found here: http://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview

UPDATE (7/27/2017) - We have made a new release 8.1.1 of this tool. It now auto adds Telerik.Web.UI.DialogParametersEncryptionKey. The tool can be downloaded from the same location.

Security-Module Disabling-Detection


Security Analyzer uses a special module to perform its activities. In rare cases, a malicious user may disable that. The following confirmation message confirms that the security code is still in effect.

Disk Access Check

We have made slight tweaks in this area to ensure that there is no false positive reporting. However, per our research, we have found that the warnings noted in this check has mostly been very accurate.
More details on IIS App Pool identify can be found at the following resources:
https://www.youtube.com/watch?v=0tEojc_GU_A
https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions
https://docs.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/86127a66-dfd0-431b-b24e-84aee7e15fe1.mspx?mfr=true

Upgrades to newer version of DNN


With this version of the tool, you may encounter upgrade errors (shown above) while upgrading DNN or Evoq to versions prior to 9.0. The problem won't happen if you upgrade to any version 9.0 or above. Of course, we always recommend upgrading to the latest version of DNN or Evoq. The workaround is very simple. Simply uinstall this tool prior to upgrade, and install again after install.
More details about this problem can be found here: https://dnntracker.atlassian.net/browse/DNN-9428

Download

The Installation package can be downloaded from here: https://github.com/DNNCommunity/SecurityAnalyzer/releases
Ensure to download the version with "Latest Release" tag.

Installation of this tool

Security Analyzer can be installed as any standard DNN extension. Please refer to this documentation for more details: https://www.dnnsoftware.com/docs/administrators/extensions/install-extension.html

Previous Releases

This blog explains the general usage of Security Analayzer: Updates to Security Analyzer Tool

Additional Questions

Please send an email to security@dnnsoftware.com for questions related to security.
Alternatively, you may ask a question in the comments also.

 

  • Published:

Related Articles

5 Tips for Successfully Upgrading DNN Websites Depending on who you ask, you’ll be the recipient of a very passionate response when you ask any DNN’er their opinion about DNN up...
5 Things You Absolutely Need to Remember with E-Commerce Websites Last night, I had the pleasure of presenting to the Toronto Area DNN Users Group (a.k.a., TADUG), hosted by Aderson Oliveira.  TADUG is current...
How to secure a whole Dnn site with an SSL certificate Why get an SSL certificate Just to clarify a small technical semantics issue, SSL (Secure Socket Layer) is the old standard of transmitting secure da...
May the 4th - 2sxc for public forms and file upload this is a repost from the 2sxc blog Every international Star Wars day we release something big. This time we've enhanced 2sxc for public forms-...
Security for DNN Websites Best Practices Webinar Website security has been in the spotlight after a number of high-profile vulnerabilities and compromises. As website developers and operators, it is ...

Comments

Ray Michaud
Hi, I downloaded the latest Security Analyzer file from Git Hub (v 08.01.00) and installed it through the extension wizard. I got a success message. I re-started my website. I ran the Security Analyzer and still got the Check Telerik Vulnerability critical message. It is immediately followed by the Check Security Analyzer Http Module with a green check. Does this mean I am all set? My information security officer isn't convinced.
Ray Michaud Wednesday, July 26, 2017 5:41 PM (link)
TPPerlman
Thank you for the further support on these vulnerabilities. I had previously updated 40+ DNN installations with the June 2017 Security Hotfix v1.0.1, but when I installed the latest version of the Security Analyzer v8.1 I was getting the following error on 99% of my DNN v8x installations:

--------------------------------------------------------------------------------
PURPOSE OF THE CHECK:
CheckTelerikVulnerability : Check if Telerik component has vulnerability.

RESULT:
The Telerik component vulnerability has not been patched, please go to http://www.dnnsoftware.com/services/customer-support/success-network/security-fix-june-2017 for detailed information. You also can download a patch from that page or directly from http://dnn.ly/SecurityFix201701 and apply it.

NOTES:
App Setting "Telerik.Web.UI.DialogParametersEncryptionKey" doesn't exist in web.config.

--------------------------------------------------------------------------------

In order to fix this, I manually added the following key:


...



For the [ENCRYPTIONKEY] above, I used a different random password generator with an alphanumeric length of 128 characters for each site. Once I did that, the error went away.
TPPerlman Wednesday, July 26, 2017 7:35 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives

Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out