Hacking Your DotNetNuke Site

The purpose of this article is give step-by-step instructions, with example files, on how hackers can run server-side code on your website. This is not just an issue for older DotNetNuke installations. This applies to any website running on Windows Server 2003. First, a disclaimer. I spoke with Cathal and the DotNetNuke Security team through proper channels and let them post the first blog on how to patch this. There are articles out there for the bad people to get into your system, so we only thought it was fair to post this through a more main-stream channel in the hopes that good people can be educated on how to protect themselves. (Hackers are bad, server administrators are good in this disclaimer).

Navigate this article:
• Should I Be Worried?
• What if I'm Running an Older Version of DotNetNuke?
• How Can I Find Out Which Version of DotNetNuke I'm Running?
• ** Using Arrow's Test File to See If Your Application is Susceptible
• Server Administration Options
• Resources and Further Reading

Should I Be Worried?

The ability to execute server-side code is not limited to DotNetNuke. This security issue affects you if:

1. You allow users to upload files into your website (avatar images, videos, documents as attachments to form submissions, etc.).
2. Your website is running on a server that is powered by Windows Server 2003 running IIS 6 (even with the most recent patches).

What if I'm Running an Older Version of DotNetNuke?

Then you are REALLY in trouble. There is a well-known exploit that allows nefarious users to post files to your /portals/{PortalId} folder with which your portal is associated. For most websites, this folder is located at /portals/0/. If you are running a DotNetNuke version lower than 4.8.3 your website is susceptible. Only a few are using the exploit to post ASP files using the security issue described in this article, most of the intrusions I've seen have been using the exploit to post .txt files. To see if you've been violated, look in /portals/0 and see if you see any fat.txt files in there. If so, you are on a list of known websites with the open door. Once news spreads about the ASP exploit you will start to see those files in there as well.

We know that there are clients using older versions of the framework that are stuck on the version for legitimate reasons so we built this guide to help to keep that security hole a nuisance and not an open door to run server-side code in your application.

How Can I Find Out Which Version of DotNetNuke I'm Running?

DotNetNuke puts this in a pretty easy place to find. Go to the Host Settings page in the Host menu and it is listed right at the top. 

You can also get it from the database if that's easier. Here's a simple script to give you the current version of DotNetNuke:

Using Arrow's Test File to See If Your Site is Susceptible

The security issue that allows server-side code to be executed is done through uploading a file that obfuscates the fact that it has an unacceptable extension with a semi-colon and it appears as an acceptable file type.

Example: test.asp;bad.jpg is able to be uploaded and is reported from the operating system as bad.jpg to .NET code.

This would not be a big deal, but IIS reads the first half of the filename – before the semi-colon – to decide which handler to use to serve the file This article is more of a pragmatic approach of how to address the issue, so if you want to read more about the exploit check out the resources link at the bottom of the article.

Download Sample File

To help to figure out if you are exposed to this issue, download the file above and try to upload the "image" file into your website. Figure out the upload path and try to navigate to the file. For instance, if you use the File Manager for your website, navigate to www.[MyWebsiteName].com/portals/0/test.asp;bad.jpg. If you get a JavaScript alert telling you the time on the server, you have some work to do and fast.

Server Administration Options

Option 1: Disable the ASP Web Server Extension
The easiest way to address the issue is to turn off the ASP Web Server Extension in IIS. To do this log into your server through remote desktop and open Internet Information Services (IIS) Manager in Control Panel>Administrative Tools.

1. Select Web Service Extensions.
2. Check to see if Active Server Pages is allowed.
3. With Active Server Pages selected, click the Prohibit button to disable ASP.
4. Run 'IISRESET' from the command prompt to apply the changes and restart all websites.

Option 2: Disable Execute for Folders that Allow User Uploads
If you cannot disable the ASP Web Server Extension because of other websites or applications running on the server, the alternative that takes a little more work is to evaluate your application's points of exposure and make sure that those folders have Execute disabled.

1. Select the Web Site you want to edit from the list of websites.
2. Right-Click and select Properties for the folder in which users are allowed to upload files.
3. Change the Execute permissions to None.

Resources and Further Reading

DotNetNuke
• 3/17/2010 - IIS6 - A Word of Warning on an Issue Affecting Some Websites
• 5/18/2009 - Blast From the Past or Why it's Good to Keep Up-To-Date
• 5/27/2008 - Security Bulletin no. 17

Microsoft
• 12/29/2009 - Public Disclosure of IIS Security Issue with Semi-Colons in URL
• 12/29/2009 - Results of Investigation into Holiday IIS Claim