RadScriptManager XSS Issue

6 posts, 0 answers
  1. Kalyan
    Kalyan avatar
    1 posts
    Member since:
    Mar 2009

    Posted 15 Oct 2009 Link to this post

    Hi,

    During a penetration testing of our application, there has been a critical issue that has been identified. This issue is related to the RadScriptManager that is used in some pages. RadScriptManager uses a HIDDENFIELD to do all its Ajax Callbacks which has been identified as a potential Cross Site Scripting issue.

    Can someone suggest how do we overcome this issue.

    Here is the sample
    Attack Request: POST /Test/Pages/SelectSSRSReports.aspx HTTP/1.1
    Accept: */*
    Accept-Language: en-gb
    Referer: https://yahooi.co.uk/Test/Pages/SelectSSRSReports.aspx
    x-microsoftajax: Delta=true
    Content-Type: application/x-www-form-urlencoded
    Cache-Control: no-cache
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
    Host: yahooi
    Content-Length: 84361
    Pragma: no-cache
    Memo: 16:Auditor.SendAsyncronousRequest:Attack(CID:(null):AS:2,EID:1354e211-9d7d-4cc1-80e6-
    4de3fd128002,ST:AuditAttack,AT:PostSubParamInjection,APD:ctl00_ContentPlaceHolder1_SelectSSRSR
    eportsUC_RadScriptManager1_HiddenField,I:
    (1,2),R:False,SM:2,SID:6D5FE98086FFBD5B9C4EAC6B578D3355,PSID:805159012103CD6481F7371358
    8F96DC)
    Connection: Keep-Alive
    Cookie: ASP.NET_SessionId=hv3lku55kgc3xrr2dwuhhovm;CustomCookie=cookie46767ZX6C1A0EE8F4EC44189A5FD7BEA43E8944YC48D;
    ASPSESSIONIDSQDTCBCS=AINPNDJDB
    BHAHLAPMDIOHALB
    ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$RadScriptManager1=ctl00$ContentPlaceHolder1
    $SelectSSRSReportsUC$ctl00$ContentPlaceHolder1$SelectSSRSReportsUC$treReportsPanel|ctl00
    $ContentPlaceHolder1
    $SelectSSRSReportsUC$treReports&ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_RadScriptManag
    er1_HiddenField=%3b%3bSystem.Web.Extensions%2c%20Version%3d1.0.61025.0%2c%20Culture%
    3dneutral%3csCrIpT%3ealert(46781)%3c%2fsCrIpT%3e%2c%20PublicKeyToken%
    3d31bf3856ad364e35%3aen-US%3a1f0f78f9-0731-4ae9-b308-56936732ccb8%3aea597d4b%
    3ab25378d2%3bTelerik.Web.UI%2c%20Version%3d2009.1.402.20%2c%20Culture%3dneutral%2c%
    20PublicKeyToken%3d121fae78165ba3d4%3aen-US%3ab30853f2-6f9f-496e-85c8-cca8f7f2e17c%
    3a16e4e7cd%3a86526ba7%3af7645509%3a24ee1bba%3ae330518b%3a1e771326%3ac8618e41%
    3aed16cbdc%3ae524c98b%3a58366029%3aaa288e2d%3ae4f8f289&__EVENTTARGET=ctl00%
    24ContentPlaceHolder1%24SelectSSRSReportsUC%24treReports&__EVENTARGUMENT=%7b%
    22sourceNodesIndices%22%3a%5b%220%3a0%3a0%22%5d%2c%22commandName%22%3a%
    22NodeDropOnHtmlElement%22%2c%22htmlElementId%22%3a%
    22ctl00_ContentPlaceHolder1_SelectSSRSReportsUC_txtTabularReportURL%22%7d&__VIEWSTATE=%
    2FwEPDwUKMTk3MzYyNTQ2NQ9kFgJmD2QWAgIDD2QWBgIBDw8WAh4XRW5hYmxlQWpheFNraW5SZ
    W5kZXJpbmdoZGQCAw9kFgICAQ8UKwACFCsAAg8WCh4JQmFja0NvbG9yCTMAmf8eBEZsb3cLKXBUZWx
    lcmlrLldlYi5VSS5JdGVtRmxvdywgVGVsZXJpay5XZWIuVUksIFZlcnNpb249MjAwOS4xLjQwMi4yMCwgQ3Vs
    dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj0xMjFmYWU3ODE2NWJhM2Q0AR4JRm9udF9TaXplKCoi
    U3lzdGVtLldlYi5VSS5XZWJDb250cm9scy5Gb250VW5pdAVTbWFsbB8AaB4EXyFTQgKICBYCHgVzdHlsZQU
    ZYmFja2dyb3VuZC1jb2xvcjojOTkwMDMzOxAWBmYCAQICAgMCBAIFFgYUKwACDxYEHgRUZXh0BRNTRV
    RVUCBDT05GSUdVUkFUSU9OHgtOYXZpZ2F0ZVVybAUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZB
    QrAAIPFgQfBgUOUkVQT1JUIE1BTkFHRVIfBwUafi9QYWdlcy9SZXBvcnRNYW5hZ2VyLmFzcHhkZBQrAAIP
    F2gBQL1fBBghUZ2KVUzFLJ1JVBkylaMXRZUpbdGFUVxk8ZH2VBTRY13%JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
    2BL1BhZ2VzL1ByaXZpbGVkZ2VTY3JlZW4uYXNweGRkFCsAAg8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBw
    Udfi9QYWdlcy9TZWxlY3RQcmltZVVzZXJzLmFzcHhkZBQrAAIPFgQfBgUQR1JPVVAgTUFOQUdFTUVOVB8H
    BR5%
    2BL1BhZ2VzL1NlbGVjdFByaW1lR3JvdXBzLmFzcHhkZBQrAAIPFgQfBgURUkVQT1JUIE1BTkFHRU1FTlQfB
    wUefi9QYWdlcy9TZWxlY3RTU1JTUmVwb3J0cy5hc3B4ZGQPFgZmZmZmZmYWAQVzVGVsZXJpay5XZWIu
    VUkuUmFkTWVudUl0ZW0sIFRlbGVyaWsuV2ViLlVJLCBWZXJzaW9uPTIwMDkuMS40MDIuMjAsIEN1bHR1c
    mU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MTIxZmFlNzgxNjViYTNkNGQWDGYPDxYEHwYFE1NFVFVQ
    IENPTkZJR1VSQVRJT04fBwUafi9QYWdlcy9Db25maWd1cmVIb21lLmFzcHhkZAIBDw8WBB8GBQ5SRVBP
    UlQgTUFOQUdFUh8HBRp%
    2BL1BhZ2VzL1JlcG9ydE1hbmFnZXIuYXNweGRkAgIPDxYEHwYFClBSSVZJTEVHRVMfBwUdfi9QYWdlcy9Q
    cml2aWxlZGdlU2NyZWVuLmFzcHhkZAIDDw8WBB8GBQ9VU0VSIE1BTkFHRU1FTlQfBwUdfi9QYWdlcy9TZ
    WxlY3RQcmltZVVzZXJzLmFzcHhkZAIEDw8WBB8GBRBHUk9VUCBNQU5BR0VNRU5UHwcFHn4vUGFnZXM
    vU2VsZWN0UHJpbWVHcm91cHMuYXNweGRkAgUPDxYEHwYFEVJFUE9SVCBNQU5BR0VNRU5UHwcFHn4
    vUGFnZXMvU2VsZWN0U1NSU1JlcG9ydHMuYXNweGRkAgUPZBYCAgEPZBYIAgMPDxYCHwBoZGQCCQ8U
    KwACFCsAAhQrAAIPFgIfAGhkEBYBZhYBFCsAAg8WBh8GBQ1QUklNRSBSZXBvcnRzHglBbGxvd0Ryb3BoH
    glBbGxvd0RyYWdoZBAWAmYCARYCFCsAAg8WAh8GBRpOYXRpb25hbCBJbmRpY2F0b3IgUmVwb3J0c2Q
    QFjpmAgECAgIDAgQCBQIGAgcCCAIJAgoCCwIMAg0CDgIPAhACEQISAhMCFAIVAhYCFwIYAhkCGgIbAhw
    CHQIeAh8CIAIhAiICIwIkAiUCJgInAigCKQIqAisCLAItAi4CLwIwAjECMgIzAjQCNQI2AjcCOAI5FjoUKwACDx
    YIH
    Attack Response: HTTP/1.1 200 OK
    Cache-Control: private
    Content-Length: 148
    Content-Type: text/html; charset=utf-8
    Date: Sat, 10 Oct 2009 14:56:00 GMT
    133|error|500|The name 'neutral<sCrIpT>alert(46781)</sCrIpT>' contains characters that are not
    valid for a Culture or Region.
    Parameter name: name|
  2. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 15 Oct 2009 Link to this post

    Hi Kalyan,

    This issue has been resolved in more recent versions of our product. Please upgrade to the Q2 2009 version (you now seem to be using Q1 2009).

    Regards,
    Albert,
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Lee Scorer
    Lee Scorer avatar
    2 posts
    Member since:
    Jul 2009

    Posted 16 Oct 2009 Link to this post

    Thanks for replying. I am a licensed user and I was just checking my upgrade. Is this the version - ASP.NET AJAX 2009.2 826, I should download which has a fix of the problem I mentioned earlier. Please suggest.
  5. T. Tsonev
    Admin
    T. Tsonev avatar
    2770 posts

    Posted 16 Oct 2009 Link to this post

    Hello,

    Yes, this is the correct version - it's the current official Q2 2009 release.

    Greetings,
    Tsvetomir Tsonev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  6. Lee Scorer
    Lee Scorer avatar
    2 posts
    Member since:
    Jul 2009

    Posted 21 Oct 2009 Link to this post

    Hi,

    This is really URGENT. As per your feedback, we had upgraded the Telerik DLL to ASP.NET AJAX 2009.2 826 and had sent our Application for a second round of penetration testing. It has failed again for the same reason. Would need an urgent feedback as to how we can solve this RadScriptManager HiddenField Issue, since this has been our barrier to release the application. 

    Are there any other alternatives?
  7. T. Tsonev
    Admin
    T. Tsonev avatar
    2770 posts

    Posted 24 Oct 2009 Link to this post

    Hello,

    I'm posting this for community reference:
    The issue has been resolved in version 2009.2.1024+ thanks to the additional details that you've provided through a support ticket.

    Greetings,
    Tsvetomir Tsonev
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Back to Top
UI for ASP.NET Ajax is Ready for VS 2017