Security issue - "Open redirection (DOM-based)" in "kendo.aspnetmvc.min.js"

Hi Dimo,
    Is "kendo.aspnetmvc.min.js" used by Kendo Grid contol only or other Kendo controls are also using this javascript? Is Kendo Grid control using "kendo.aspnetmvc.min.js" only for Paging and sorting?

    I checked the behavior of the Kendo Grid control in my application. As per my observation, when I used paging and sorting functionality, the AJAX "Post" request is being sent with the page number, page size and sort field parameters(it is not sending the "GET" request with page no and other parameters). On the server-side into the Controller, the object-"DataSourceRequest request" contains these values and they are used into the code to return appropriate data to the view. The URL is not at all getting changed here because "POST" request is being sent to the URL. Please confirm that my observation is correct.

    If above understanding is correct, I just need to validate the values - page number, page size and sort field which are sent into the "POST" request(whether they contain valid values). Please confirm that my understanding is correct. Do you think, I need to perform any other validation?

Thanks,
Alpesh.

Hi,

In our recent vulnerability scan, both were tagged for A3-Cross-Site Scripting (XSS):

kendo.dataviz.map.min.js   - location
kendo.aspnetmvc.min.js     - href, replace

Can you verify if this is true or is just a false positive. Thank you!

Another findings: 

kendo.dataviz.gauge.min.js - A7- Cross-Site Scripting - "text, append"
kendo.dataviz.map.min.js  - AI injection - "jsonp"

Hi,

We have been receiving and reviewing similar vulnerability scan reports and so far all of them appeared to be false positive. If you need to check your ones deeper please run the scan over the non-minified versions of the javascript kendo files that can be found in your Telerik account and submit a separate support ticket with them so we could  review them separately.

Regards,
Plamen
Progress Telerik

Hi Admin, 

Please find details on the vulnerability finding. Hopefully, I can get explanation about this. Thank you.

1.) kendo.dataviz.map.min.js

   Message:
The application's n.location embeds untrusted data in the generated output with location, at line 1263 of \Scripts\kendo\kendo.dataviz.map.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.


       renderTooltip: function() {
                    var e, t, n = this,
                        i = n.options.title,
                        r = n.options.tooltip || {};
                    r && c && (e = r.template, e && (t = a.template(e), r.content = function(e) {
                        return e.location = n.location(), e.marker = n, t(e)
                    }), (i || r.content || r.contentUrl) && (this.tooltip = new c(this.element, r), this.tooltip.marker = this))



2.) kendo.dataviz.map.min.js

  Message:
An explicit filename is not defined for the Content-Disposition header in line 1077 at file Source\Scripts\kendo\kendo.dataviz.map.min.js.
Filename attribute is required in order to prevent the browser from assuming the resource is an executable and download a possibly malicious file.

                _fetchMetadata: function() {
                    var t = this.options;
                    if (!t.key) throw Error("Bing tile layer: API key is required");
                    e.ajax({
                        url: t.baseUrl + t.imagerySet,
                        data: {
                            output: "json",
                            include: "ImageryProviders",
                            key: t.key,
                            uriScheme: this._scheme(window.location.protocol)
                        },
                        type: "get",
                        dataType: "jsonp",


3.) kendo.dataviz.guage.min.js

Message:

The application's s.append embeds untrusted data in the generated output with append, at line 40 of \Scripts\kendo\kendo.dataviz.gauge.min.js. This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.


! function(e, define) {
    define(["./kendo.dataviz.core.min", "./kendo.drawing.min", "./kendo.dataviz.themes.min"], e)
}(function() {
    return function(e, t) {
        function n(e, t) {
            var n = e.box,
                i = e.children[0].box,
                o = t.border || {}, a = t.background || "",
                s = new A,
                l = M.fromRect(new I([n.x1, n.y1], [n.width(), n.height()]), {
                    stroke: {}
                }),
                c = new E(e.text, new D(i.x1, i.y1), {
                    font: t.font,
                    fill: {
                        color: t.color
                    }
                }),
                d = r(c.bbox().clone(), t.padding),
                u = M.fromRect(d, {
                    stroke: {
                        color: o.width ? o.color : "",
                        width: o.width,
                        dashType: o.dashType,
                        lineJoin: "round",
                        lineCap: "round"
                    },
                    fill: {
                        color: a
                    }
                });
            return s.append(l), s.append(u), s.append(c), s
        }

Some more here ...

kendo.dataviz.map.min.js

Message:
The potentially tainted value provided by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1239 is used as a destination URL by location in I\Scripts\kendo\kendo.dataviz.map.min.js at line 1263, potentially allowing attackers to perform an open redirection.


  location: function(e) {
                    return e ? (this.options.location = f.create(e).toArray(), this.layer && this.layer.update(this), this) : f.create(this.options.location)
                },

kendo.router.min.js

Message:
The potentially tainted value provided by location in \Scripts\kendo\kendo.router.min.js at line 12 is used as a destination URL by replace in Scripts\kendo\kendo.router.min.js at line 60, potentially allowing attackers to perform an open redirection.

      },
                replaceLocation: function(e) {
                    f.replace(e)
        }

kendo.aspnetmvc.min.js

The potentially tainted value provided by replace in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199 is used as a destination URL by href in \Scripts\kendo\kendo.aspnetmvc.min.js at line 199, potentially allowing attackers to perform an open redirection.

 read: function(t) {
                        var n, i, r = this.options.prefix,
                            o = [r + "sort", r + "page", r + "pageSize", r + "group", r + "aggregate", r + "filter"],
                            a = RegExp("(" + o.join("|") + ")=[^&]*&?", "g");
                        i = location.search.replace(a, "").replace("?", ""), i.length && !/&$/.test(i) && (i += "&"), t = this.setup(t, "read"), n = t.url, n.indexOf("?") >= 0 ? (i = i.replace(/(.*?=.*?)&/g, function(e) {
                            return n.indexOf(e.substr(0, e.indexOf("="))) >= 0 ? "" : e
                        }), n += "&" + i) : n += "?" + i, n += e.map(t.data, function(e, t) {
                            return t + "=" + e
                        }).join("&"), location.href = n

Hi,

Thank you for sharing the code - based on it we can tell that we have been reported similar issues yet all of them where false positive. If you want us to deeper inspect each issue please submit a support ticket with the exact files that you have scanned so we are able to once again review the warnings against all of the code and be more descripting in our answer.

Regards,
Plamen
Progress Telerik