This is a training session for IT-Operations and Developers in regards to handling security issues in DNN. It takes about 2 hours. It uses the 2illumin8 training model.
Training Specs
Goals of this Training
Ensure that all participants know the usual causes of typical security breaches and how to prevent, mitigate and handle them
Intended Audience
This training is targeted at people who have already had some experience with DNN at a technical level - for example Web Designers, Developers and IT-Operations. It's not suited for content-editors, as it's technical.
Basics
DNN has a list of all known DNN Security Issues.
Today many security issues have a CVE-Number (Common Vulnerabilities and Exposures) allocated by CVE Numbering Authorities.
General Recommendations
- Run security analyzer.
This is part of DNN 9 and newer. Before it was an Extension.
- Make sure you understand each issue reported, even if it doesn't look critical.
- Especially folder permissions are to be taken seriously
- Disable User Registration on all Portals unless really needed.
- DNN Host Users
- The default host-name should just be host. Change it via SQL-Script.
- Have as less host-users as possible.
- Ensure you don't have the default machine Key in web.config
validationKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902" decryptionKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC"
- Ensure PasswordFormat is Hashed for all users
- Ensure web.config has
passwordFormat="Hashed"
- check DB for users with PasswordFormat <> 1
SELECT * FROM aspnet_Membership WHERE PasswordFormat <> 1
- Ensure you have no pages with "Edit" Permission for "Everyone"
- DNN < 9: Ensure something is added to Payment Processor User and Password, because Tools like LastPass can accidentally fill in your login and you might never note this, but these information are saved as Plaintext in the Database.
- Ensure you have
customErrors
enabled web.config. Recommended is <customErrors mode="RemoteOnly">
Security of Hosting Environment (IIS, ASP.Net and SQL Database)
- Run IIS Application Pool with a special Service Account.
- Grant File-Access only to the web-folder for that Service Account.
- Use a separate SQL Login for each Database. Configure web.config accordingly.
- Configure IIS to log all relevant Information/fields. By default some fields useful fields are not enabled, like Host, Bytes Sent/Received, Protocol Version, ...)
Known Security Issues with very high risk
DNN Core
- Telerik File Uploader. Many issues from 2014 and 2017. Ensure you have Security HotFix 2017 01.02.00 installed.
- DNN 4.9: CKEditor File Upload Issue - IIS 6 File Upload Issue
- DNN Installer/Updater may left dangerous files. Delete these files in Install/: Install, InstallWizard, UpgradeWizard, both *.aspx and *.aspx.cs
- Vulnerabilities in DNN File Uploader (bypassing client-side file extension check, CVE-2020-5188) and Zip Slip vulnerability (CVE-2020-5187) (DNN 7 - 9.6. ...)
3rd Party Extensions/Modules
These are commonly known modules where older versions had publicly known widespread issues.
- DNN Sharp: Action Form 3.9.228 and earlier, Sharp Look 1.1.141 and earlier
- Many modules by DNN Go from before 2019 have dangerous uploaders
- Older Mandeeps modules had a insecure Upload Handler
- Easy DNN News: Fixes in Version 8.6.2.
- Modules using AjaxFBS, e.g. InteractiveWebs (Complete Feedback Designer, TellMyFriends, FlashBoard, FlashSlide)
- ZLDNN DNNArticle