DotNetNuke Security Alert

Hi All. DotNetNuke sent out an email to all registered users regarding a security hole with DNN. I'm posting here in case you didn't get this email.




Yesterday we became aware of a security vulnerability in DotNetNuke.

It is the immediate recommendation of the DotNetNuke Core Team that all users of DotNetNuke based systems download and install this security patch as soon as possible. As part of our standard security policy, no further detailed information regarding the nature of the exploit will be provided to the general public.

This email provides the steps to immediately fix existing sites and mitigate the potential for a malicious attack.

Who is vulnerable?

-- Any version of DotNetNuke from version 1.0.6 to 1.0.10d

What is the vulnerability?

A malicious user can anonymously download files from the server. This is not the same download security issue which has been well documented in the past whereby an anonymous user can gain access to files in the /Portals directory if they know the exact URL. This particular exploit bypasses the file security machanism of the IIS server completely and allows a malicious user to download files with protected mappings ( ie. *.aspx ).

The vulnerability specifically *does not* enable the following actions:

-- A hacker *cannot* take over the server (e.g. it does not allow hacker code to be executed on the server)

How to fix the vulnerability?

For Users:

An updated release of DotNetNuke is now available for download from the DotNetNuke site ( http://www.dotnetnuke.com ). There are in fact two versions of the download available:

DotNetNuke 1.0.10e - FULL = a full release package containing all project files ( recommended for those who are installing DotNetNuke for the first time or are running a version prior to 1.0.10d ) DotNetNuke 1.0.10e - PATCH = only those files affected by this particular security exploit ( recommended only for those who are already running DotNetNuke 1.0.10d already )

1) Extract the zip file into the C:\DotNetNuke folder ( make sure to have the Overwrite Existing and Use Folder Names options enabled )
2) Deploy the fix by copying the bin\DotNetNuke.dll to the /bin folder on your remote server

For Developers:

If you have an existing installation, you can immediately fix the problem by performing the following steps:

1) Open up the DotNetNuke application in Visual Studio.NET.
2) Open the admin\Portals\LinkClick.aspx page
3) Switch to the Code Behind view for the page
4) Replace the following lines of code in the Page_Load handler:



If Not Request.Params("contenttype") Is Nothing Then
' force download dialog
Response.AppendHeader("content-disposition", "attachment; filename=" + Request.Params("link").ToString)
Response.ContentType = Request.Params("contenttype").ToString
Response.WriteFile(strLink)
Response.End()
Else ' redirect
Response.Redirect(strLink, True)
End If



with:



' link to internal file
If Not Request.Params("contenttype") Is Nothing Then
' verify file extension for request
Dim strExtension As String = Replace(System.IO.Path.GetExtension(Request.Params("link").ToString()), ".", "")
If InStr(1, "," & _portalSettings.HostSettings("FileExtensions").ToString.ToUpper, "," & strExtension.ToUpper) <> 0 Then
' force download dialog
Response.AppendHeader("content-disposition", "attachment; filename=" + Request.Params("link").ToString)
Response.ContentType = Request.Params("contenttype").ToString
Response.WriteFile(strLink)
Response.End()
End If
Else ' redirect
Response.Redirect(strLink, True)
End If




5) Save the file
6) Rebuild the application (Ctrl-Shift-B)
7) Deploy the fix by copying the bin\DotNetNuke.dll to the /bin folder on your remote server

Please note that this public service announcement demonstrates the professional responsibility of the Core Team to treat all possible security exploits as serious and respond in a timely and decisive manner.

We sincerely apologize for the inconvenience that this has caused.



Thank you, we appreciate your support...

DotNetNuke - The Web of the Future