Archive
Monthly
Go
|
|
DNN Blog
May
21
Posted by:
Shaun Walker
5/21/2008
Since the DotNetNuke application was originally released, we have been committed to providing a highly secure web platform to the Microsoft community. Security on the web is a challenging area and we have gone to great lengths over the past 5 years to ensure the integrity of the application. We are certainly not perfect; therefore, we have (regrettably) dealt with a number of security issues over the years. In each case, we were able to solve the problem and issue a patch release which offered the necessary level of protection to the community. There is a tough balancing act between disclosing too much information or too little information, and we have relied on the process established by some of the industry giants in terms of dealing with these types of issues.
In 2006, we worked with Microsoft to establish an official Security Policy for the DotNetNuke project:
http://www.dotnetnuke.com/News/SecurityBulletins/SecurityPolicy/tabid/940/Default.aspx
The purpose of the Security Policy was to provide clear guidance on how we deal with security issues in the DotNetNuke project. This includes instructions on how security details should be confidentially reported to us ( security@dotnetnuke.com ) as well as information on how we notify the community of security issues, explanation of severity levels, and our policy regarding detailed disclosure. Our security lead, Cathal Connelly, was instrumental in creating the policy and ensuring its long term execution.
Since the establishment of the Security Policy, we have dealt with a number of security issues of varying levels of severity. In order to do this properly, it takes time and focused effort. Typically this means dropping all other activities while we verify the existence of a problem and work towards a complete solution. Here I think its important for people to realize that it is not a trivial amount of effort. Generally, once a security vulnerability has been validated and the risk level is known, we must develop a solution which addresses the problem, thoroughly test the solution, package a new release, test the release, formulate a plan for the distribution, create the security bulletin, and write the security notification. The responsibility for the tasks outlined above is shared between a number of different resources on our team and the impact on their other project duties is usually somewhat compromised for a period of time. Regardless, the process we follow is thorough and is completely consistent with the way that any professional organization deals with security matters.
One of the benefits of having a large, passionate open source community is that people are generally willing to cooperate with us when it comes to matters pertaining to security. This is especially true for people who are committed to the platform and want to ensure its continued growth and prosperity. Most security issues are discovered by community members who are actively pushing the limits of the framework and are more than willing to contribute their findings back to the core for the benefit of the entire community. We have also successfully dealt with a number of "white hat" professional security organizations in the past. In these cases, the "white hats" are paid by clients to perform a thorough security analysis on a particular application. Generally, these organizations are willing to share their results with us in exchange for some minimal recognition ( which helps promote their business ). We have also had to deal with "black hats" ( ie. hackers ) on a few occasions. This is the most difficult security issue to contend with because there is no cooperation. Nonetheless, we have dealt with each incident successfully and the reputation of DotNetNuke as a secure platform has been maintained.
Late last week, we were notified of a security vulnerability which allowed an unauthorized user to upload a file into a DotNetNuke site. Attempting to contact the person who performed the exploit proved to be futile; so we spent considerable time over the weekend attempting to isolate the source of the vulnerability. As we worked the problem from our side, a number of emails came in to the security@dotnetnuke.com alias from community members who were further along in the analysis and were eager to share their findings with us. These community members represent a variety of stakeholder groups including user group leaders, government organization, and even the U.S. Military. It turned out that the problem was not as severe as anticipated, as only files with "safe" extensions could be uploaded to the server. We are actively working on a solution which will likely involve a 4.8.3 general release.
Why a general release? Well the main reason is that once you start deploying patches, there is no guarantee that the patch does not affect other areas of the system in adverse manner. Since DotNetNuke is a mission critical application, users must have 100% confidence that the software they are running is rock solid. As a result we provide full releases to ensure that the security fix is fully integrated with the rest of the framework and adequately tested. In addition, patches have a tendency to get distributed around the web and it is critical that users of the DotNetNuke platform have assurance that the code they are running has not been tampered with. By supplying full releases, it makes it easier for users to have confidence that the package came from a reliable source.
Late last night, a security issue was published by a third party hosting provider. Since the hosting provider ( a familiar member of the DotNetNuke ecosystem ) did not follow the standard security policy, we have not been able to verify the security vulnerability claims yet. After numerous requests for the hosting company to provide us with the details of the exploit, we are still waiting for a response ( ironically we have received more cooperation out of 'hackers' in the past than we are from this hosting provider ). It appears that the hosting company is actually using the exploit as a competitive advantage so that they can charge people a fee for a solution. Clearly this violates every professional, ethical, and moral value which the DotNetNuke community has been built upon. Unfortunately, we can not dictate how vendors in our ecosystem choose to conduct business. Therefore, we can only rely on the community to pass judgement on who is being a good citizen and who is not. Once we are able to obtain more information about this issue, I will provide a status update.
14 comment(s) so far...
Re: DotNetNuke Security Notice
Shaun,
I appreciate the hard work you put into the file upload issue! I didn't realize that it was that hard for you to get additional information on the re-creation steps.
By mitchel.sellers@gmail.com on
5/21/2008
|
Re: DotNetNuke Security Notice
The hosting provider that failed to report the security issue has handled this situation in a very unprofessional manner :(
By adlferry on
5/21/2008
|
Re: DotNetNuke Security Notice
Check out http://www.cert.org/vuls/ This is a well tested process for handling vulnerability reports. Although not a perfect fit, the CERT vulnerability remediation process would apply.
I think the missing pieces in this particular incident were the coordination and disclosure processes. I don’t know exactly what was communicated but it appears little if any information was communicated to the DNN security alias yet the public was informed.
Your security policy is pretty well defined. You might add more detail to your security policy in terms of what not to do. E.g. the submitter of the vulnerability should not communicate vulnerabilities to the public before a known fix is available. You do make a statement about the DNN security team following this practice but a recommendation to the submitter of the issue would probably make sense.
The fact that the provider chose to communicate this issue publicly, offered a tool to detect, and then tied a revenue generating component to the vulnerability is making me rethink my webhosting options. I use PowerDNN and must say I’ve always had great service but this situation is quite concerning.
Maybe this will be a good learning opportunity for them and make them better.
By z3r0c00l on
5/22/2008
|
Re: DotNetNuke Security Notice
Hosting providers make their business through DNN every day. Supporting the community through cooperation on security issues is to be considered an investment for them. Insetead, this violation of security policies sounds just like a way to make quick money, but could result in a great damage for the hosting provider's reputation. I wonder if a business plan was made before taking this decision.
By gnogna82 on
5/22/2008
|
Re: DotNetNuke Security Notice
Hello Shaun,
Thank you for the update and the extra information regarding the hosting provider. Do you have an ETA for when 4.8.3 will be released to the public?
By n3bu1a on
5/22/2008
|
Re: DotNetNuke Security Notice
Talk about a fast way to self destruct. With DNN's portability to a new host in about oh 10 mins, I wouldn't be "pushing" my users around. I already have a good idea who the host is, only cause I have dealt with just about every host known, and so far only one has tried to hit me up for additional fee items for my DNN install. All the others are what can we do to help you mentality.
Its a shame, hope they learn the hard way.
To date DNN have been the tightest and most secure open source option I have ever used. Even when a security leak is presented its usually known, fixed, and released before half the community even knows it exists. Shaun you and your team do an excellent job and I give you thanks.
By keeperofstars on
5/22/2008
|
Re: DotNetNuke Security Notice
So why not just identify the hosting provider against whom the allegations have been raised? It will afford them the public opportunity to change their behavior and/or explain and defend themselves.
By ctaswell on
5/22/2008
|
Re: DotNetNuke Security Notice
Here, here. Name names!
By colonelangus on
5/22/2008
|
Re: DotNetNuke Security Notice
I am not out to put anyone out of business, but I will say that powerdnn has has been either dishonest (or just got it wrong) to myself & my coworkers on a few times to try to get more money out of us.
To give you only one example, very recently when we had an issue with our dedicated server that we lease from them, they told us our server had be hacked & tried to fear us into an expensive data backup plan (the issue was only a bad uninstall of some software that we were having an issue with & needed to reinstall it & reboot - it never rebooted & thats when we were told we were hacked - we had told powerdnn what had happened when we asked them to look into it).
Another time we had the remote desktop suddenly stop working on us & they charged us an additional $90 to send a tech out to the data center to re-enable remote desktop (yes, tick a box - we are still not sure how that box became unticked?). We gave them permission to do that, but was not very happy when we found out that they had already had a hidden version of VNC (deleted all start menu links to it) on our server. We check the creation date of VNC & it was installed when they setup the server. To make things worse powerdnn tried to hide this by deleting all our server logs so we could not see that they logged on remotely using VNC to fix the issue.
We could tell you more stories, but like I said - we don't want to put anyone out of business. We wish them best of luck, but we cannot do business with dishonest money hungry people.
We have decided that leasing another server with another provider is a better option for us & the boss is going to organize this when he gets back from his holiday.
By adlferry on
5/22/2008
|
Re: DotNetNuke Security Notice
@z3r0c00l
"Maybe this will be a good learning opportunity for them and make them better"
It's disappointing to see that they refused to take any actions.
By AliCommerce on
5/22/2008
|
Re: DotNetNuke Security Notice
@AliCommerce
I agree. It’s too bad. I’ve been hosting with them for quite a while now and have begun to think of other options. My hope is that they will internalize this and learn, although I get the impression that they do not understand what they did wrong which is what worries me most.
By z3r0c00l on
5/22/2008
|
Re: DotNetNuke Security Notice
I am currently hosting with them too. I have asked them to help on a different site not hosted on their servers. They fixed the issue free of charge by deleting the installer which they claim contains a critical security vulnerability.
I thought that was courteous, but agree that they should have used the prescribed channels for security issues.
Meanwhile the link to their security wizard has been taken down...
By borki on
6/12/2008
|
Re: DotNetNuke Security Notice
Now that a name has been named, and those of us who read this blog can decide for ourselves what to do or not to do, the question remains how to
By ctaswell on
6/12/2008
|
Re: DotNetNuke Security Notice
This is a timely topic. We are considering changing DNN hosting providers and would like to go with one who is very service oriented, can help out with DNN specific issues and offers dedicated servers - and has a high degree of integrity and regard for their customers. Any suggestions?
By CRMNuke on
6/12/2008
|
|