s
Contact Login Register
h M

DNN Security Leak Bypassing Dynamic Registration

We found a workaround for this!

Author: Anonym/Thursday, May 22, 2014/Categories: In The Flow

Rate this article:
3.0
We've come across a situation that we want to share with you.  Several customers using Dynamic Registration were finding that people were able to bypass this and somehow get to the standard DNN registration without the extended fields.  Apparently, this was done by simply adding "?ctl=register" to the URL.  Here's a workaround that was helpful to one of our clients (thanks, Bob!). 


If you are using IIS 7, you can turn on the request filtering and add the following code in web.config.

GO to Host / Configuration Manager:

Locate the <system.webServer> section of the web.config and paste in the following near the end, MAKE SURE YOU MAKE A COPY OF YOUR WEB.CONFIG CONTENTS LIKE INTO A NOTEPAD OR SOMETHING AND DO IT FROM THE NOTEPAD AND COPY / PASTE EVERYTHING BACK. ALSO MAKE SURE YOU HAVE A COPY OF THE WEB.CONFIG FILE (MAKE A COPY OF IT ON YOUR SERVER).

<security>

        <requestFiltering>

            <denyQueryStringSequences>

                <add sequence="ctl" />

            </denyQueryStringSequences>

        </requestFiltering>

</security>

-----------------------------------------------------------------------------------------------------

 

SOMETHING LIKE THIS:

 

<!-- The system.webServer section is required for IIS7 compatability It is ignored by IIS6-->

  <system.webServer>

    <modules runAllManagedModulesForAllRequests="true">

      <!--add name="RequestFilter" type="DotNetNuke.HttpModules.RequestFilter.RequestFilterModule, DotNetNuke.HttpModules" preCondition="managedHandler" /-->

      <add name="UrlRewrite" type="iFinity.DNN.Modules.UrlMaster.UrlRewriteModule, iFinity.UrlMaster.FriendlyUrlProvider" preCondition="managedHandler" />

      <!--add name="UrlRewrite" type="DotNetNuke.HttpModules.UrlRewriteModule, DotNetNuke.HttpModules" preCondition="managedHandler" /-->

      <add name="MobileRedirect" type="DotNetNuke.HttpModules.MobileRedirectModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="Exception" type="DotNetNuke.HttpModules.Exceptions.ExceptionModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="UsersOnline" type="DotNetNuke.HttpModules.UsersOnline.UsersOnlineModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="DNNMembership" type="DotNetNuke.HttpModules.Membership.MembershipModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="Personalization" type="DotNetNuke.HttpModules.Personalization.PersonalizationModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="Analytics" type="DotNetNuke.HttpModules.Analytics.AnalyticsModule, DotNetNuke.HttpModules" preCondition="managedHandler" />

      <add name="Services" type="DotNetNuke.HttpModules.Services.ServicesModule, DotNetNuke.HttpModules" />

      <remove name="UrlRoutingModule-4.0" />

      <add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" />

      <add name="RadUploadModule" type="Telerik.Web.UI.RadUploadHttpModule, Telerik.Web.UI" preCondition="managedHandler" />

      <add name="Detector" type="FiftyOne.Foundation.Mobile.Detection.DetectorModule, FiftyOne.Foundation" preCondition="managedHandler" />

      <add name="ClientDependencyModule" type="ClientDependency.Core.Module.ClientDependencyModule, ClientDependency.Core" />

    </modules>

    <handlers>

      <remove name="WebServiceHandlerFactory-Integrated" />

      <add name="LogoffHandler*" path="Logoff.aspx" verb="*" type="DotNetNuke.Services.Authentication.LogOffHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="RSSHandler" path="RSS.aspx" verb="*" type="DotNetNuke.Services.Syndication.RssHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="LinkClickHandler" path="LinkClick.aspx" verb="*" type="DotNetNuke.Services.FileSystem.FileServerHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="CaptchaHandler" path="*.captcha.aspx" verb="*" type="DotNetNuke.UI.WebControls.CaptchaHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="UserProfilePageHandler" path="User.aspx" verb="*" type="DotNetNuke.Services.UserProfile.UserProfilePageHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="RadProgressHandler" verb="*" path="Telerik.RadUploadProgressHandler.ashx" type="Telerik.Web.UI.Upload.RadUploadProgressHandler, Telerik.Web.UI" preCondition="integratedMode" />

      <add name="UserProfilePicHandler" path="ProfilePic.ashx" verb="*" type="DotNetNuke.Services.UserProfile.UserProfilePicHandler, DotNetNuke" preCondition="integratedMode" />

      <remove name="ExtensionlessUrl-Integrated-4.0" />

      <add name="ExtensionlessUrl-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />

      <add name="SitemapHandler" path="Sitemap.aspx" verb="*" type="DotNetNuke.Services.Sitemap.SitemapHandler, DotNetNuke" preCondition="integratedMode" />

      <add name="Telerik.Web.UI.WebResource" verb="*" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource, Telerik.Web.UI" preCondition="integratedMode" />

      <add name="Telerik.Web.UI.ChartHttpHandler" verb="*" path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler, Telerik.Web.UI, Culture=neutral, PublicKeyToken=121fae78165ba3d4" />

      <add name="LanapCaptcha" verb="*" path="LanapCaptcha.aspx" type="Lanap.BotDetect.CaptchaHandler, Lanap.BotDetect" />

      <add name="SitemapHandler1" verb="*" path="DataSpringsSiteMap.axd" type="iFinity.DNN.Modules.GoogleSiteMap.GoogleSiteMapHandler, iFinity.DNN.GoogleSiteMapProvider" preCondition="integratedMode,runtimeVersionv4.0" />

      <add name="HtmTemplateFileHandler" verb="*" path="*.htmtemplate" type="DotNetNuke.Providers.RadEditorProvider.HtmTemplateFileHandler, DotNetNuke.RadEditorProvider" preCondition="integratedMode" />

      <add name="ClientDependencyHandler" verb="*" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core" preCondition="integratedMode" />

      <remove name="BotDetectCaptchaHandler" />

      <add name="BotDetectCaptchaHandler" preCondition="integratedMode" verb="GET" path="BotDetectCaptcha.ashx" type="BotDetect.Web.CaptchaHandler, BotDetect" />

    </handlers>

    <validation validateIntegratedModeConfiguration="false" />

    <security>

      <requestFiltering>

        <denyQueryStringSequences>

          <add sequence="ctl" />

        </denyQueryStringSequences>

      </requestFiltering>

    </security>

  </system.webServer>

 

 

 

 

 

 
This will deny the querystring "?ctl=register"

Just note that this solution will also likely stop features such as "?ctl=Login" and others.

Thanks!


Number of views (229226)/Comments (-)

Tags:
blog comments powered by Disqus

Enter your email below AND grab your spot in our big giveaway!

The winner will receive the entire Data Springs Collection 7.0 - Designed to get your website up and running like a DNN superhero (spandex not included).

Subscribe