RSS Feed
Latest Updates
DNN Security Advisory : Rogue Host Accounts
Posted by DNN4Less Support Engineer Jessie on 26 May 2016 02:29 PM

DNN Security Advisory: Rogue Host Accounts

It has come to our attention that a vulnerability recognized by DNN Software in early 2015 has resurfaced and can be exploited again by a new mechanism. This will require action to be taken by DNN administrators to prevent unauthorized access to your DNN site.  Click here to view the DNN Software article from 2015.

The vulnerability can allow an attacker to:

> Create a New Host Account

> Update Host records and tables

> Clear SMTP Settings

> Upgrade or alter installed modules


Who is Affected?

Any DNN site that is running any version for DNN Platform or Evoq.


What can I do to prevent this from happening to my DNN site?

1. To prevent this vulnerability from being exploited on your DNN installation delete the following 11 files:













2. Go to Host > Host Settings > Other Settings under Allowable File Extensions > Ensure that the .aspx extension is Not uploadable.

3. Reveiw your superusers at Host > SuperUser Account and remove any unauthorized users.

4. Search the root and subfolders for any suspicious .aspx or .php files.  Make sure not to delete any files that may be required for DNN to run properly.


I host my site with DNN4Less, do I need to worry about anything?

Our dedicated technicians have gone through all DNN Installations that we host and have ensured the 6 files have been deleted from the /Install folder which should prevent the sites from being exploited.  We recommend checking steps 2-4 on your installations.


DNN Corp has released Evoq 8.4.2 and DNN Platform 8.0.3 to further mitigate the issue.  Please contact support at if you would like your site upgraded to the latest version.


Thank You

DNN4less Support team





Read more »

DNN 8.0 Released
Posted by DNN4Less Support Engineer Jessie on 22 January 2016 11:02 AM

DotNetNuke 8.0.0 released on January 14th and will be installed for you with any of your hosting plans.  If you would like to upgrade from your current version just let us know and our experienced technicians will take care of that for you.


New In DNN 8.0

Content Personalization

Page-Level Content Analytics

Centralized Access to Content Repositories

Flexible Content Layouts


You can see more features of the new version on the DNNCorp site Click Here


DNN4less always stays up to date with the latest versions.  Get started today with one of our plans for as little as $8.33/mo.  

Read more »

DNN 7.4.2 to release soon and DNN 8.0 in August
Posted by DNN4Less Support Engineer Jessie on 30 July 2015 04:21 PM

DNN4less prides itself on keeping up with the latest versions of DNN that are released by DNN Corp.  Version 7.4.2 is a stabilization release and is due to release any day.  Version 8.0 is slotted to release in August and adds many new and exciting features


New In DNN 8.0

Content Personalization

Page-Level Content Analytics

Centralized Access to Content Repositories

Flexible Content Layouts


You can check out more on DNN/EVOQ 8 on the DNNCorp site Click Here


Rest assured that when you sign up for hosting with DNN4less you will be getting the latest version with all of the latest features.  Get started today for as little as $8.33/mo Click Here

Read more »

See you at DNNCon 2014
Posted by DNN4Less Support on 05 November 2014 10:46 AM



DNN4less is a Platinum Sponsor at DNNCon this year and are looking forward to meeting each and every one of you.  Please stop by our booth and visit with one of our knowledgable technicians. 


DNNCon is a free one day event that promotes DNN user knowledge on number of topics.  The day includes a sessions for developers, designers, marketers, business owners, and system implementers.  Come check it out and meet connections in the DNN community, and don't forget to have a little fun.  Hope to see you there.


For more information please visit .

DNNCon 2014

West Palm Beach, FL

November 7th and 8th


Read more »

What is Heartbleed and Why Does it Matter to Me?
Posted by Team DNN on 10 April 2014 02:37 PM

I’m sure many of the people reading this blog post have heard about the recent exploit released Monday labeled CVE-2014-0160 better known to the Internet as Heartbleed.

Heartbleed is an exploit on OpenSSL version 1.0.1 through 1.0.1f that allows an attacker to pull arbitrary data out of a server’s memory to retrieve various information. How it works is in OpenSSL 1.0.1 where a feature was implemented named heartbeat that allowed a client to send a string of up to 65KB of data to a server that would be sent back as a heartbeat to make sure the handshake was alive. The problem with how heartbeat was implemented was that OpenSSL did not verify the requested length matched the provided length of data. This means that an attacker can send a heartbeat to a server 1 byte long stating it was 65 KB and retrieve the next 66559 bytes of data after that 1 byte of data in memory. This data can have anything, due to how servers function, so a lot of data has been leaked over this week.

Before I go any further, I want to state that we have checked all of DNN4Less ’s internal servers against the exploit once announced and, due to the version of OpenSSL we were running at the time, our servers were not susceptible to the attack, so no data was leaked from our service due to this exploit.


So, going back to what this does: let’s first look at a command on Linux named “free,” which outputs the memory usage on a server:

$ free -m

  total used free shared buffers cached
-/+ buffers/cache:  





This is the output of my virtual machine in megabytes, which, granted, is pretty small, but the important part are the columns. “Total” is the total amount of memory and swap my machine has, “used” is what is currently allocated to processes, “free” is unused memory that can be allocated, “shared” is memory shared across processes (but to my understanding is not used anymore), “buffers” is data that is stored for a process temporarily, and “cached” is memory that was once used by a process but was released back to the pool with the data from the process stored.


The important takeaway from heartbleed and this command is the cached column. As a server is actually used, you will see free memory down to minimal numbers – sometimes even 128MB, but cached might be upwards of 16GB. That’s 16GB of released data that can be reallocated however it was once-used; data thrown away that could potentially be used by the application again, which would speed it up on the second run. The problem with heartbleed is when I send a packet that pulls just under 65KB of data, where does it come from on a heavily utilized system? It comes from cached, as that will be where the system will first allocate memory to my request. This means that I pulled just under 65KB of data from any random process that gave the memory back to the pool.


This 65KB of data can be anything on a server. While I personally have only tested the exploit internally against a lab environment, there have been reports of users able to obtain logins and passwords to websites in plaintext, session ids, and other various hacks. This exploit is so large and encompassing that not even the big names were safe from it. If you wish to protect yourself against this attack, there are quite a few options you can do. Your line of action, regardless of if a site were susceptible, would be to first refresh your sessions on any site by first logging out and, once logged back in, reset every single one of your passwords. Before you do this, you should test the site to make sure that it is not exploitable against heartbleed. You can run a test from Qualys SSL Labs, which has the ability to check a domain for the exploit. Once the test completes at the top you will see an alert that states if it is exploitable or not. If the site is exploitable, it is highly recommended that you do not log back into the site until the exploit is patched. Once patched you can then resume with changing your logins.


If you operate a server that you find exploitable, the repercussions are a little more drastic and action needs to be taken. First you must update OpenSSL to 1.0.1g and restart any service using OpenSSL. If you are unsure of which services to restart, a server reboot would be the best approach. Once patched, any SSL certificate on your server needs to be revoked and replaced. Due to the nature of cached memory, it is uncertain if the data leaked to a potential hacker contains your private key. After revoking and replacing your certificate, you need to clear out any open sessions on your sites to force everyone to re-authenticate, thus mitigating any leaked session data. Unfortunately, due to the nature of cache, it is uncertain how much user data is leaked so it is best to request all users of your application to reset their password or force one. If you are a client of DNN4Less’s and wish to have testing done or need assistance with fixing heartbleed, feel free to contact our support team, which will assist you.


Read more »