This is a migrated thread and some comments may be shown as answers.

Path traversal vulnerability in RadChart Image Handler

0 Answers 1703 Views
Chart (Obsolete)
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Telerik Admin
Top achievements
Rank 1
Iron
Telerik Admin asked on 13 Dec 2019, 12:54 PM

Path traversal in all versions of RadChart for ASP.NET AJAX by Telerik allows a remote attacker to read and delete an image with extension ".BMP",".EXIF",".GIF",".ICON",".JPEG",".PNG",".TIFF", or ".WMF" on the server through a specially crafted request.

Versions prior to Q3 2012 may also be exposed to arbitrary files access within the web application, including the web.config.

To avoid the vulnerability you must remove its HTTP handler from your web.config (its type is Telerik.Web.UI.ChartHttpHandler), e.g.

REMOVE these lines from your web.config file:

<add path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler" verb="*" validate="false" />

and

<add name="ChartImage_axd" path="ChartImage.axd" type="Telerik.Web.UI.ChartHttpHandler" verb="*" preCondition="integratedMode" />

Note: this will prevent the RadChart control from working in your app.

RadChart has been discontinued in 2014 in favor of RadHtmlChart. We advise that you migrate to RadHtmlChart:

Telerik would like to thank movrment from Infiniti Team - VinCSS (A member of Vingroup) for helping in making this information public.

External reference: CVE-2019-19790

Tags
Chart (Obsolete)
Asked by
Telerik Admin
Top achievements
Rank 1
Iron
Share this question
or