jump to navigation

DNN Security tips September 20, 2007

Posted by fofo in DNN Security.
Tags: , ,
add a comment

Many people who build their portals using a version of the Dotnetnuke, need to find ways to protect their portals from hackers and malicious users

  1. secure data from unauthorised users

This can be achieved by setting the appropriate permissions to every user. we can choose the pages that we want certain people to see. only those that have registered can look at the “forthcoming events”,for example.

  2.    Prevent Hacking

  • Social hacking

Kevin Mitnick used to call a company,pretending that he was a former employee, and asked for some information.

Many times he managed to get people to give him usernames and passwords.

DNN cannot do anything about other administrators of the portal or registered users of the portal that give out their sensitive data. you can only alert them to the dangers of social hacking.

  • Brute Force Hacking

this is also called dictionary hacking.what happens is that a hacker uses a program that tries to get into a site using a known username.The password he tries  comes from a dictionary of passwords. The best way to protect yourself is to have a policy in place that enforces a complicated password. also always remember to change the host and admin usernames and their respective passwords. the way to change the admin user is this.

  • log in as host
  • add a new user who has an administrator role
  • log in with the new admin info
  • delete the original admin user

  • Application Profiling

  That means that certain people can navigate to your site or portal and straight away realise they are browing a dnn site.

then they can do certain things. they can guess that you were propably too lazy to change the admin username and propably the admin password is dnnadmin. there are some ways to hide the obvious signs that your site is build on the DNN platform.

  1. Change the title bar
  2. Eliminate the source code comments
  3. Turn off the copyright message in the footer of the page 

  • SQL Injection

  

In a portal that SQL queries are used, a hacker can insert or alter an existing database query.This is done by using quotes to break out of a SELECT statement.

an example is when someone logs in the query is executed “Select * from logintable WHERE username=’admin’ and password=’password’ ”

A hacker can inject a quote and comment characters to create a new SQL statement.

DNN uses stored procedures for all database access.This greatly reduces the possibility of hacking using SQL injection techniques.