menu
Logo
  • Why azing?
  • Blog
  • Help
ENarrow_drop_down
  • DE
  • EN
Suche in Checklisten
search
azing Logo ENarrow_drop_down
  • DE
  • EN
  • Why azing?
  • Help
DNN Community
drive_folder_upload
  • homeChecklist Templates
  • south

folder_sharedOperations and Security

  • homeChecklist Templates
  • south

folder_sharedOperations and Security

Folders and checklists

  • folder_sharedHosting DNN
  • check_circleConfigure SameSite Cookies for IFrames
  • check_circleDNN-​Website Performance Training (2illumin8)
  • check_circleDNN-Issues Analysis Training (2illumin8)
  • check_circleDNN-Security Training (2illumin8)
  • infoUseful Tools to analyze Website-Issues

Parts (0) expand_more

These are small document-parts which are used in other documents. They are not a starting point for any real activity. Because of this, they will be listed further down and the search will not list them unless requested. 

This is a training session for IT-Operations and Developers in regards to handling security issues in DNN. It takes about 2 hours. It uses the 2illumin8 training model. 

Training Specs

Goals of this Training

 

Ensure that all participants know the usual causes of typical security breaches and how to prevent, mitigate and handle them

Intended Audience

This training is targeted at people who have already had some experience with DNN at a technical level - for example Web Designers, Developers and IT-Operations. It's not suited for content-editors, as it's technical.

Basics

DNN has a list of all known DNN Security Issues.

Today many security issues have a CVE-Number (Common Vulnerabilities and Exposures) allocated by CVE Numbering Authorities.

General Recommendations

  1. Run security analyzer.
    This is part of DNN 9 and newer. Before it was an Extension.
    1. Make sure you understand each issue reported, even if it doesn't look critical. 
    2. Especially folder permissions are to be taken seriously
  2. Disable User Registration on all Portals unless really needed.
  3. DNN Host Users
    1. The default host-name should just be host. Change it via SQL-Script.
    2. Have as less host-users as possible.
  4. Ensure you don't have the default machine Key in web.config
    validationKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902" decryptionKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC"
  5. Ensure PasswordFormat is Hashed for all users
    1. Ensure web.config has passwordFormat="Hashed"
    2. check DB for users with PasswordFormat <> 1
      SELECT * FROM aspnet_Membership WHERE PasswordFormat <> 1
  6. Ensure you have no pages with "Edit" Permission for "Everyone"
  7. DNN < 9: Ensure something is added to Payment Processor User and Password, because Tools like LastPass can accidentally fill in your login and you might never note this, but these information are saved as Plaintext in the Database.
  8. Ensure you have customErrors enabled web.config. Recommended is <customErrors mode="RemoteOnly">

Security of Hosting Environment (IIS, ASP.Net and SQL Database)

  1. Run IIS Application Pool with a special Service Account.
  2. Grant File-Access only to the web-folder for that Service Account.
  3. Use a separate SQL Login for each Database. Configure web.config accordingly.
  4. Configure IIS to log all relevant Information/fields. By default some fields useful fields are not enabled, like Host, Bytes Sent/Received, Protocol Version, ...)

Known Security Issues with very high risk

DNN Core

  1. Telerik File Uploader. Many issues from 2014 and 2017. Ensure you have Security HotFix 2017 01.02.00 installed.
  2. DNN 4.9: CKEditor File Upload Issue - IIS 6 File Upload Issue
  3. DNN Installer/Updater may left dangerous files. Delete these files in Install/: Install, InstallWizard, UpgradeWizard, both *.aspx and *.aspx.cs
  4. Vulnerabilities in DNN File Uploader (bypassing client-side file extension check, CVE-2020-5188) and Zip Slip vulnerability (CVE-2020-5187) (DNN 7 - 9.6. ...)

3rd Party Extensions/Modules

These are commonly known modules where older versions had publicly known widespread issues. 

  1. DNN Sharp: Action Form 3.9.228 and earlier, Sharp Look 1.1.141 and earlier
  2. Many modules by DNN Go from before 2019 have dangerous uploaders
  3. Older Mandeeps modules had a insecure Upload Handler
  4. Easy DNN News: Fixes in Version 8.6.2.
  5. Modules using AjaxFBS, e.g. InteractiveWebs (Complete Feedback Designer, TellMyFriends, FlashBoard, FlashSlide)
  6. ZLDNN DNNArticle
Logo
Legal | Content Copyright CC-BY 4.0
bug_reportReport Bug
  • info
  • Links
  • Permissions
code Share
code
URL copied to clipboard.
Embed Checklist close
Copy Copy
Content Copyright

CC-BY 4.0

Translations

None

DNN Community Logo

DNN Community

QR-Code
azing.org/dnn-community
/r/HTXgCxVS
View & Use

Public (can be used by everybody)

Edit & Admin

Default (all members can edit)

This catalog has a simple permission model, where all members have the same permissions. For advanced permissions, upgrade to Enterprise.

Here you can see how this document is used and linked by other documents

Used in (0)

Others referencing this

Uses these (0)

Documents linked from this document

How it Behaves

How this document is categorized changes how it behaves.

This is a main document, it is listed normally and appears in search result.

Type

This is a Checklist. Lists are converted into checkboxes.

Get something to say?

Comment to start a discussion or make a note
send

please log on to chat

close

Durchsuche ganz Azing