Engage on Facebook Engage on Twitter Engage on LinkedIn Engage on GitHub

PSA: Keeping your DNN Sites Secure

By Brian Dukes

Update: A new version of DNN has been released to address some additional potential vulnerabilities, as well as an extended workaround if you cannot yet upgrade to the latest version of DNN.

At Engage we wanted to give the DNN community a quick reminder to take a minute and think about the security of your DNN site. Historically, DNN has done a great job of handling any security issues that come up with DNN (and also a great job of avoiding security issues in the first place). That said, many times the only foolproof way to protect the community is to require them to upgrade to a version of DNN that fixes an issue which gets found. You can review any known security issues for your version of DNN at DNN's Security Center (and glance at the Version History page if you're not sure which version of DNN Platform your Evoq website uses).

TL;DR Install the Security Analyzer module if your DNN website is on a version below 7.4.1 (starting in 7.4.1 this module is included within DNN itself). If you're on DNN 8, make sure you've upgraded to 8.0.3.

Now that your site has the Security Analyzer module installed, take a look at it (there should be a page with it under the Host menu). Review the Superuser Activity to ensure that your site hasn't been compromised to create a host-level account for an attacker. (Don't be too alarmed if your site fails the CheckBiography check on the Audit Checks tab, this just means that your site could be vulnerable to spammers registering accounts and using the biography profile property for SPAM; a nuisance, but not a major security issue).

As mentioned above, one of the major issues that we're concerned about protecting against is an attacker being able to create a host-level account (which gives them full control over your website). One thing that might tip you off to an attacker exploiting that vulnerability (labelled 2015-05 (Critical) in the Security Center) is that the SMTP settings may be reset (these are the settings which control your site's ability to send emails). If your DNN site has recently stopped sending emails, you'll definitely want to follow the steps above and review activity on your site.

If you do find an unexpected superuser account, the first thing to do is revoke that user's access (go to the Superuser Accounts page in the Host menu). Then you'll want to reset the password to your SQL database (and any other passwords stored in your web.config file), as well as probably advising your site's users to reset their passwords. Once a user has that level of access, there's very little they don't have access to, so a thorough review of the site is in order. If your site is running on an Evoq product, you should have an Application Integrity tool in the Host menu which will tell you about files that have been added or altered, which is a good place to look next.

We hope this quick reminder is helpful to you. Stay safe out there!

Check out our free guide, "Six Issues to Avoid When Upgrading to DNN 8" Download