When searching for the term "rootkit" I was surprised to see one result returned under File Results

File Results
View.ascx (06/15/2016 09:19:49)

So I searched the DNN Instance with Windows Exporer and found the instance,

C:\**server file structre ** \DesktopModules\DNNCorp\SecurityAnalyzer\View.ascx:
   71                  <div class="dnnFormItem">
   72                      <dnn:label id="plSearchTerm" controlname="txtSearchTerm" runat="server" CssClass="dnnFormRequired"/>
   73:                     <asp:TextBox ID="txtSearchTerm" runat="server" MaxLength="256" Text="rootkit" ValidationGroup="ScannerChecks" />

AH! But that's the view.ascx of the actual Security Analyzer

We probably shouldn't remove the view.ascx from review because then it would be a good place to hide things... so perhaps in the returned search results, specific to this file it ignores the text?

Installed the module (DNN 7.4.0) and got an immediate error:
bei DNN.Modules.SecurityAnalyzer.Components.Checks.CheckBiography.Execute()
bei DNN.Modules.SecurityAnalyzer.Components.AuditChecks.DoChecks()
bei DNN.Modules.SecurityAnalyzer.View.GetAuditResults()
bei DNN.Modules.SecurityAnalyzer.View.Page_Load(Object sender, EventArgs e)
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Control.LoadRecursive()
bei System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Hi all, I'm running a site using DNN 7.3.3 and the security analyzer tool always fails the site for this check:

CheckHttpModules : Check Security Analyzer Http Module:
The Security Analyzer Http Module haven't initialized in application, please check web.config file to see whether the http module config correctly.

I am not understanding the proposed fix, could someone assist? Any help would be so greatly appreciated!

• Marco

We have many DNN instances, especially older 4x and 5x versions that have upgraded over time, where the Module Header/Footer has been used to wrap a module within a DIV or to place extra BR breaks after a module.

example:

TabId: 280, Module Id: 716
Header: <div style="height:200px; text-align:center;">
Footer: </div>< br />

These are harmless, intended uses of the module header/footer block of content but they show up as records in the Security Analyzer for review. And rightly so!

I wonder if there could be a slight enhancement to the way the module returns values here and either:

1. only returns if it finds certain potentially hack-used code such as: iframe, script, js, css, etc.
2. or, if it is best to have it return everything like it does now, to have it highlight in yellow any of the records which have those type of code elements within the content. That way, they're quick to see/find within the full list.

The other enhancement I would recommend is that the "TabID: 280, Module Id; 716" Be turned into a link that you can use to load that page of the site. Not only for efficient review/clicking, but mainly because it does not display which portal that module comes from, so in a multi portal DNN instance of 25+ portals, you're left guessing which that might be. Even though you'd likely make repairs directly in the database, it would be helpful to click and see the portal.

we should add a check to hash the contents of default.aspx/default.aspx.cs and flag if the page(s) have been altered - this would help alert users in the case that their page had additional tags (e.g. for SEO spam links) added.

Not sure who else has done this, but as one step for figuring out why an install doesn't work, some folks may have set over-generous permissions throughout their site(s). Might it make sense to go down the main directory trees and verify (with optional reset) these permissions properly?

I have changed the settings for the security to one single user that has only access to one folder on my disk. (I checked the permissions) however the CheckDiskAccess keeps giving warnings on this point.

Am i missing something? because it looks like a bug..

using the security analyzer for files that contain the word 'rookit'. The following four files were found:

Security.resx (08/01/2018 14:30:57)
LocalResources.en-US.resources (08/01/2018 14:36:41)
View.ascx (08/01/2018 21:06:53)
View.ascx.resx (08/01/2018 21:06:53)

After further digging I realized these files are all part of the security analyzer module and are perfectly fine. However, this would be more useful if the full path of the file were supplied so it would easy to locate the file in question to determine if it is a malicious file or not.

Add the DNN community standard GitHub templates for issues and pull requests

We need to discuss the end of this module:

Is PR #11 ok to merge and publish a new release or do we need to adjust some wording ?

What do we do with the existing issues, what needs to move to DnnPlatform, what needs to be closed ?

We need to document the upgrade issue in the Dnn upgrade path Wiki page and in release notes ?

We also need to add wording to not install this module on Dnn 9

@DNNCommunity/module-development-team please comment

The security of DNN is highly important, across the entire ecosystem. The integrity of the ecosystem requires that we have the tools available to ensure that even deeply rooted files haven't been compromised (e.g., telerik radeditor, provider files, sql data provider files, etc.).

This enhancement should scan all of the core files against a known clean instance of the core files, and report any files that have been altered or removed.

A security tool that we used a while back in older DNN 5x was a tool (it was a dashboard plugin) that would allow you to Encrypt and UnEncrypt key sections of the web.config.

While encrypted, standard dnn functions all continued normally. We were just careful to unencrypt before doing any new dnn module install that we knew wrote to the web.config, but other than that, everything worked fine while encrypted.

The encryption would hash the main connection string and the legacy connection string sections in the web.config.

All my installs of version 8.1.1 went fine but the one where the sysop encrypted the appsettings (not our own server).
The module still injected the Telerik.Web.UI.DialogParametersEncryptionKey to the appsettings in web.config which crashed the site with a config error.
Might be good to check in advance if the section is encrypted

The tool works fine on my test sites, but on our production site (which has 400+ portals) but the page times out at our loadbalancer before finishing.

Changing the timeout is not an option, it's set to 30 seconds and "that's that". (for better / worse)

Perhaps, the output could also be written to a file? Or send an email to the site owner (or the logged in user?)

In general when this happens, the request finishes @ the web server, but by that time, the page has been timed out by the LB.

I'd like to capture this valuable information, just thinking about how to get it.

The module should log and/or be aware of the last time the admin ran the scans here. This would allow only the things that have changed since the last scan to be reviewed. This would make it easier to spot issues that may be new, instead of perhaps getting complacent or "scanning" all of this information and potentially missing something.

For example, if any specific host settings have been updated or added since the last time the scan was run, they might be shown in bold and/or red text.

I would add 2 checks:
A. A check for a host user with default credentials (as you get after a default install)
B. A warning if there's a superuser named "host" that is not the "oldest" superuser.

Upon attempt to install Security Analyzer from http://www.dnnsoftware.com/forge/dnn-security-analyzer upon a DNN 7.3.4 installation, the following two messages have been reported in Evenet Viewer:

No Module has been installed.

AssemblyVersion:7.3.4
PortalID:0
PortalName: domain_name.xxx
UserID:3
UserName:EChancesGRSuperUser
ActiveTabID:36
ActiveTabName:Extensions
RawURL:/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
AbsoluteURL:/Default.aspx
AbsoluteURLReferrer:http://domain_name.xxx/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
UserAgent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:bdfe1f1f-5716-45c6-9d11-97a7e7dba6b2
InnerException:File load failed, aborting
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:
StackTrace:
Message:
System.Exception: File load failed, aborting
Source:
Server Name: GENERICNL04

AssemblyVersion:7.3.4
PortalID:0
PortalName:domain_name.xxx
UserID:3
UserName:EChancesGRSuperUser
ActiveTabID:36
ActiveTabName:Extensions
RawURL:/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
AbsoluteURL:/Default.aspx
AbsoluteURLReferrer:http:/domain_name.xxx/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
UserAgent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:5a928701-9c5a-4d1b-9d07-d0e6b66392ce
InnerException:Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'.
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:System.IO.__Error.WinIOError
StackTrace:
Message:
DotNetNuke.Services.Exceptions.PageLoadException: Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'. ---> System.IO.FileNotFoundException: Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
at System.IO.StreamReader..ctor(String path)
at System.IO.File.OpenText(String path)
at DotNetNuke.Common.Utilities.FileSystemUtils.ReadFile(String filePath)
at DotNetNuke.Services.Installer.Installers.PackageInstaller.ReadTextFromFile(String source)
at DotNetNuke.Services.Installer.Installers.PackageInstaller.ReadManifest(XPathNavigator manifestNav)
at DotNetNuke.Services.Installer.Installers.PackageInstaller..ctor(String packageManifest, InstallerInfo info)
at DotNetNuke.Services.Installer.Installer.ProcessPackages(XPathNavigator rootNav)
at DotNetNuke.Services.Installer.Installer.ReadManifest(Stream stream)
at DotNetNuke.Services.Installer.Installer.ReadManifest(Boolean deleteTemp)
at DotNetNuke.Modules.Admin.Extensions.Install.wizInstall_NextButtonClick(Object sender, WizardNavigationEventArgs e)
at System.Web.UI.WebControls.Wizard.OnNextButtonClick(WizardNavigationEventArgs e)
at System.Web.UI.WebControls.Wizard.OnBubbleEvent(Object source, EventArgs e)
at System.Web.UI.WebControls.Wizard.WizardChildTable.OnBubbleEvent(Object source, EventArgs args)
at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args)
at System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e)
at System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument)
at System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace ---

1. Go to Host > Security Analyzer
2. The tab name "Superuser Activity" should be renamed "Super User Activity"

This was originally recorded: https://dnntracker.atlassian.net/browse/DNN-7970

Please summarize your question in one sentence

When uninstalling module from a 9.x insatalltion the security analyzer page is left in the personabar.

Give a more extended description

With the new personabar there is no way to access the host pages anymore in order to remove the page.

Steps to reproduce (if needed)

Dnn 8.X site upgraded to 9.x
Uninstall the Security Analyzer a sit’s now included in DNN 9.x
Page still remains in personabar with no way to remove.

Other comments or remarks

CheckUnexpectedExtensions step running slowly when the website contains large folder structure and hosted on UNC path. need set it to lazy load to avoid timeout exception during page load process.

Actually, I'm not sure if the issue is with this tool or with the fix.

I've attached a screenshot of the tool's output.

Here is the patch itself:

Upon attempt to install Security Analyzer from http://www.dnnsoftware.com/forge/dnn-security-analyzer upon a DNN 7.3.4 installation, the following two messages have been reported in Evenet Viewer:

No Module has been installed.

AssemblyVersion:7.3.4
PortalID:0
PortalName: domain_name.xxx
UserID:3
UserName: SUr
ActiveTabID:36
ActiveTabName:Extensions
RawURL:/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
AbsoluteURL:/Default.aspx
AbsoluteURLReferrer:http://domain_name.xxx/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
UserAgent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:bdfe1f1f-5716-45c6-9d11-97a7e7dba6b2
InnerException:File load failed, aborting
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:
StackTrace:
Message:
System.Exception: File load failed, aborting
Source:
Server Name: GENERICNL04

AssemblyVersion:7.3.4
PortalID:0
PortalName:domain_name.xxx
UserID:3
UserName:EChancesGRSuperUser
ActiveTabID:36
ActiveTabName:Extensions
RawURL:/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
AbsoluteURL:/Default.aspx
AbsoluteURLReferrer:http:/domain_name.xxx/en-us/Host/Extensions/ctl/Install/rtab/36/portalid/0?popUp=true
UserAgent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
DefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNuke
ExceptionGUID:5a928701-9c5a-4d1b-9d07-d0e6b66392ce
InnerException:Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'.
FileName:
FileLineNumber:0
FileColumnNumber:0
Method:System.IO.__Error.WinIOError
StackTrace:
Message:
DotNetNuke.Services.Exceptions.PageLoadException: Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'. ---> System.IO.FileNotFoundException: Could not find file 'C:\Inetpub\vhosts\domain_name.xxx\httpdocs\Install\Temp\ir4rsu15\License.txt'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize, Boolean checkHost)
at System.IO.StreamReader..ctor(String path)
at System.IO.File.OpenText(String path)
at DotNetNuke.Common.Utilities.FileSystemUtils.ReadFile(String filePath)
at DotNetNuke.Services.Installer.Installers.PackageInstaller.ReadTextFromFile(String source)
at DotNetNuke.Services.Installer.Installers.PackageInstaller.ReadManifest(XPathNavigator manifestNav)
at DotNetNuke.Services.Installer.Installers.PackageInstaller..ctor(String packageManifest, InstallerInfo info)
at DotNetNuke.Services.Installer.Installer.ProcessPackages(XPathNavigator rootNav)
at DotNetNuke.Services.Installer.Installer.ReadManifest(Stream stream)
at DotNetNuke.Services.Installer.Installer.ReadManifest(Boolean deleteTemp)
at DotNetNuke.Modules.Admin.Extensions.Install.wizInstall_NextButtonClick(Object sender, WizardNavigationEventArgs e)
at System.Web.UI.WebControls.Wizard.OnNextButtonClick(WizardNavigationEventArgs e)
at System.Web.UI.WebControls.Wizard.OnBubbleEvent(Object source, EventArgs e)
at System.Web.UI.WebControls.Wizard.WizardChildTable.OnBubbleEvent(Object source, EventArgs args)
at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args)
at System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e)
at System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument)
at System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
--- End of inner exception stack trace ---

Describe the bug

The security analyzer doesn't produce an issue, if users are running an old version

Software Versions

• DNN: up to 08.00.04
• Module: 08.01.04

To Reproduce

Steps to reproduce the behavior:
Run security analyzer

Expected behavior

A clear and concise request upgrading to DNN 9.x.x (latest)

Additional context

This was discussed in DNNTAG meeting.

I installed the module today and it went fine, but when I attempt to run it I get a "critical error has occurred" and the events log shows, amongst other things -- "InnerException:Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=################' failed." Note that I obfuscated the PublicKeyToken -- just in case ;-) The site is running DNN 07.03.04 in medium trust.

There should be a feature that allows a superuser to mark the state of the Default.aspx.

For example, if an admin has done the unthinkable and made core changes to the Default.aspx, it will be flagged here. However, it would be ideal if the admin could review the page and come back to the module and say the change is okay, essentially putting a virtual "checkmark" on the state of the page (and maybe even saving it).

This would allow the admin to come back here and see when and if the page has changed again without their knowledge knowledge.

The current implementation will require the admin to check the page every single time they run the scan, or something worse... one might just get used to seeing it and ignore the error/warning altogether.

The module was initially created via a template (christoc) and contains some standard build scripts that were not used in packaged. We need to either remove these scripts or update them to correctly package the module as they currently don't do so e.g. they don't factor in the "DNNCorp" top level folder

Hello,

I have a DNN 8 website where I have deleted the biography from the user profile items. The warning for the biography field being Rich text is still showing

The File Results when searching return only the name of the file (?)

File Results
View.ascx (06/15/2016 09:19:49)

We wouldn't' want that to be a link that you'd be encouraged to click... so how about displaying the file path location?

After installing security patch 01.02.00 + security analyzer 08.01.03, i get this warning:

While the june patch was installed previously.