Path traversal in all versions of RadChart for ASP.NET AJAX by Telerik allows a remote attacker to read and delete an image with extension ".BMP",".EXIF",".GIF",".ICON",".JPEG",".PNG",".TIFF", or ".WMF" on the server through a specially crafted request.
Versions prior to Q3 2012 may also be exposed to arbitrary files access within the web application, including the web.config.
To avoid the vulnerability you must remove its HTTP handler from your web.config (its type is Telerik.Web.UI.ChartHttpHandler), e.g.
REMOVE these lines from your web.config file:
<add path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler" verb="*" validate="false" />
and
<add name="ChartImage_axd" path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler" verb="*" preCondition="integratedMode" />
Note: this will prevent the RadChart control from working in your app.
RadChart has been discontinued in 2014 in favor of RadHtmlChart. We advise that you migrate to RadHtmlChart:
- Migrate Functionalities - Features and Series Types Parity
- Migrate Axes Configuration
- Migrate Data Binding Configuration
- Migrate Date Axis Configuration
- Migrate Series Configuration
Telerik would like to thank movrment from Infiniti Team - VinCSS (A member of Vingroup) for helping in making this information public.
External reference: CVE-2019-19790