Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Telerik UI for ASP.NET AJAX RadAsyncUpload Enabled #308

Closed
adamcaudill opened this issue Dec 18, 2019 · 0 comments · Fixed by #309
Closed

Telerik UI for ASP.NET AJAX RadAsyncUpload Enabled #308

adamcaudill opened this issue Dec 18, 2019 · 0 comments · Fixed by #309
Assignees
Milestone

Comments

@adamcaudill
Copy link
Owner

@adamcaudill adamcaudill commented Dec 18, 2019

A new flaw has been found in Telerik UI for ASP.NET AJAX (CVE-2019-18935), which can allow for RCE. Due to the fact that there doesn't appear to be possible to reliably determine the version of the software being used, it's not possible to determine if it is vulnerable.

We can however, tell if the key feature is enabled, by sending a get to /Telerik.Web.UI.WebResource.axd?type=rau and looking for the following:

{ "message" : "RadAsyncUpload handler is registered succesfully, however, it may not be accessed directly." }

The other option would be to build out a full exploit, but that could be too complex / slow to be reasonable. We will take the approach that we should warn if this is found at all, and let the user dig into it manually (we can save time by pointing it out, but we can't do everything for them.)

@adamcaudill adamcaudill added this to the v0.11 milestone Dec 18, 2019
@adamcaudill adamcaudill self-assigned this Dec 18, 2019
adamcaudill added a commit that referenced this issue Dec 18, 2019
Fixes #308
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant
You can’t perform that action at this time.