Hello,

I was notified that one of the sites I developed is returning a vulnerability to cross site scripting.  I have already tried many ways to correct this issue with code and content security policy changes.  I still can't get rid of this vulnerability.  We are using Progress® Telerik® UI for ASP.NET AJAX runtime version: v4.0.30319 version: 2020.1.114.45.  Can I download the trail of asp.net ajax and try that version of the treeview and see if that corrects the issue?

Issue Detail

The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response.

Request

older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart

Response

> HTTP/2 200 OK
> Cache-Control: no-cache 
> Pragma: no-cache 
> Content-Type: text/plain; charset=utf-8 
> Expires: -1 
> Server: Microsoft-IIS/10.0 
> X-Powered-By: ASP.NET 
> X-Frame-Options: SAMEORIGIN 
> X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7 
> Strict-Transport-Security: max-age=31536000 
> Date: Wed, 19 Mar 2025 16:26:27 GMT 
> Content-Length: 82 
> 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.|

What is the best way to pinpoint this issue?  How can I look at the scrollposition and how is that causing this issue?

How do I fix this so it isn't showing up on the scans?

Thank you

We have an application that uses RadGrid and one of our clients recently performed a penetration test on our application and identified the hidden input _ClientState as a vulnerability because they were able to trigger a buffer overflow error.

Here is the relevant code from the test where ClientState=AAA repeats ...

Is there a way to prevent this from happening? Perhaps some way to set the max length for this hidden input or some other technique that we can utilize to mitigate this vulnerability?

We are using Telerik RadControls for ASP.NET Ajax.

For reference, there is another thread related to this topic (i.e., ClientState hidden field) where my colleague posted a similar question but received no response - http://www.telerik.com/forums/what-is-clientstate-input-hidden-for

Hello

we have an application that needs to be put behind a reverse proxy for security reasons. The URLs in the app all need to point to the reverse proxy URLs. However, the URLs for web resources and the dynamically generated JavaScript URLs point to the backend server, so a lot of functionality is broken. We have no possibility to modify reverse proxy rules.

Is there any way to modify or rewrite  the dynamically generated URLs and the web resource URLs ? We tried intervening the page rendering, some stuff works, but a lot of other things do not.

Thanks! 

Hi,

I isolated this script to display overlay drawer but it not working properly, what am I missing?:

I checked the demo at https://demos.telerik.com/aspnet-ajax/window/examples/rendermodes/defaultcs.aspx?skin=MetroTouch with render mode set to classic in Chrome's Dev Tools > Mobile device emulator. I noticed a vertical line between the td cells in the title bar row as shown in screenshot below. I also noticed a similar issue with Metro skin in classic render mode. If I view the same in non-mobile mode in Chrome then this issue disappears. Perhaps, its some styling issue, but I could not find any CSS causing this.

It makes the title bar look non-uniform and not good in appearance.

What is causing the break among the td cells in the title bar for this case? (i.e. vertical line can be seen where the first td cell in title bar ends and then where the third td cell begins)

However, I did find a workaround solution using the  jquery code below. 

$(".RadWindow:visible").each((index, emt) => {
    $(this).find("tr.rwTitleRow td.rwTopLeft, .RadWindow tr.rwTitleRow td.rwTopRight").css("display", "none");
    $(this).find("tr.rwTitleRow td.rwTitlebar").attr("colspan", "3");
});

I have encountered a niche issue I'm trying to solve. I have a grid with EnableViewState set to false. Based on this, the control state within the grid is used to manage things like sort expressions.

My issue is simply this:

1. Page load
2. Programmatically add columns to a grid
3. On the UI, sort on a column, and its name for example is 'My Column', this becomes 'My Column ASC'
4. On our app are objects in which its name we can add as a column to the same grid
5. Somewhere in our app I rename the object's name to something else like 'My New Column' - note the sort expression is still 'My Column ASC'
6. Back to the grid, I cause a postback (e.g., rebind) or reorder a column, or sort, etc.
7. The columns need to be re-added (I've covered a case to exclude the column with the old name)
8. Before columns are added again, I manually clear sort expressions on the grid
9. While debugging, I found that in the ColumnCreated event, the grid sort expressions restore to what they were before the postback, and I see 'My Column ASC' - I find that whenever adding a SortExpression referencing a non-existing column, the program always breaks

I debugged against a few events of the grid and found that in ColumnCreated (after NeedDataSource) the grid restored its sort expressions from what I presume is the control state. So, this was between NeedDataSource and ColumnCreated.

When exactly did the sort expressions get restored, and is there an event I can listen to?

Good morning once again.

Today I am trying to apply an image to the RadImageButton, however only the Text is showing, never the image.  Not sure what the issue is.

Note: there is no code behind for this button yet, its just static for testing purposes. 

<telerik:RadImageButton ID="RadImageButton1" runat="server" Text="Cat II/III" Width="50px" Height="50px">
            <Image Url="Content/Images/Cat3.png" />
        </telerik:RadImageButton>

Hello

I have several RadGrids with custom css applied to the columns.  Everything works as intended.  However, when a column is sorted, telerik applied the .rgSorted css and this completely defeats the purpose of the gird (in our application).  What is the procedure to DISABLE or DELETE the .rgSorted css, as this particular class will never be needed or used. 

Note: any css class definition with !important cannot be used in this context.

Thank you

I'm experiencing an issue where the page becomes unresponsive for a long time whenever any Telerik control (such as refresh or loader) is triggered. The page keeps loading indefinitely, causing significant delays, and eventually, the page becomes unresponsive.

Additionally, the following error appears in the browser console:

Uncaught Sys.WebForms.PageRequestManagerTimeoutException: Sys.WebForms.PageRequestManagerTimeoutException: The server request timed out.
at Error.create (https://test.plc.com/GS/Telerik.Web.UI.WebResource.axd?...:6:2736)
at Sys.WebForms.PageRequestManager._createPageRequestManagerTimeoutError (https://wpinhouse.knpc.com/GPCS/Telerik.Web.UI.WebResource.axd?...:15:11219)
at Sys.WebForms.PageRequestManager._onFormSubmitCompleted (https://wpinhouse.knpc.com/GPCS/Telerik.Web.UI.WebResource.axd?...:15:11219)

The issue arises when interacting with Telerik controls that trigger a page request, causing the page to hang and ultimately become unresponsive.

issue started from Feb 17 2025