Could this be a web.config hack?

6 posts, 0 answers
  1. Fit2Page
    Fit2Page avatar
    468 posts
    Member since:
    Feb 2007

    Posted 12 May 2020 Link to this post

    Hi,

     

    Yesterday I discovered in the web.config on one of our webs the following:

     

    <add name="Telerik_Web_UI_DialogHandler_aspx" path="me.hochalla.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" preCondition="integratedMode" />

     

    normally this is:

     

    <add name="Telerik_Web_UI_DialogHandler_aspx" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" verb="*" preCondition="integratedMode" />

     

    What do you think this is?

    Strangest thing is I removed the line yesterday but now it is in again.

    Please respond soonest.

    Marc

  2. Rumen
    Admin
    Rumen avatar
    14460 posts

    Posted 12 May 2020 Link to this post

    Hi Marc,

    Yes, this might be a security issue, especially if me.hochalla.aspx handler/page is not among the known files of your web application.

    You may also search for me.hochalla.aspx in the app files and if it exists to examine its code which might give you any clues.

    My advice is to upgrade your project to the latest version 2020.1.219 of Telerik.Web.UI.dll  and to apply the recommended security keys. If they are already applied, create new ones since the original keys might be stolen from the compromised web.config file.

    The latest version provides fixes for the following vulnerabilities:

    You can find more information on how to secure your app in these articles:

    Regards,
    Rumen
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  3. Chad
    Chad avatar
    2 posts
    Member since:
    Jan 2017

    Posted 11 Jan in reply to Rumen Link to this post

    Are there any other measures that need to be taken to secure the Telerik.Web.UI.DialogHandler.aspx?

    Our IIS logs have thousands of hits to variations of the following path.

    /common/admin/Jobs2/Telerik.Web.UI.DialogHandler.aspx

    When I go to that path I get a message saying "Loading the dialog..."

    Should I be concerned with this?

     

  4. Rumen
    Admin
    Rumen avatar
    14460 posts

    Posted 12 Jan Link to this post

    Hi Chad,

    It looks like somebody is trying to exploit your app via one of the known vulnerabilities in the suite - CVE-2017-9248.

    That's why it is a must to secure your web apps with the most secure versions of Telerik.Web.UI.dll released after R3 2019 SP1 or even better the latest one R3 2020 SP1 to protect from all known vulnerabilities in the suite. Please see the following video which shows how to generate the recommended security keys for the web.config appSettings for the Telerik controls - https://www.youtube.com/watch?v=J18zDKtiBFE

    Please also read these online resources:

    The vulnerability related to the Telerik.Web.UI.DialogHandler.aspx is discussed in the following article: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness. If your app is using an older version where the vulnerability is not fixed, please directly upgrade to the latest version R3 2020 SP1 (2020.3.1021) since this will ensure that the hackers won't be able to decrypt the handler information and exploit your site. 

    By the way, in version 2020.2.512, we updated the error message of the handler - https://feedback.telerik.com/aspnet-ajax/1463808-security-improvement-in-handling-telerik-web-ui-dialoghandler-errors which is yet another reason for an upgrade. Security is a top priority and we are constantly enhancing the security of the suite.

    Best Regards,
    Rumen
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

  5. Chad
    Chad avatar
    2 posts
    Member since:
    Jan 2017

    Posted 18 Jan in reply to Rumen Link to this post

    Thank you. We upgraded the controls and applied the recommended settings.

    I would like to secure it further. In our application we only have a need for the Telerik.Web.UI.DialogHandler.aspx page to be accessible behind login. Is there a way to lock down the dialog handler so only logged in users have access? 

  6. Rumen
    Admin
    Rumen avatar
    14460 posts

    Posted 18 Jan Link to this post

    You are welcome, Chad. It is perfect that you have updated the Telerik.Web.UI.dll version and applied the security settings!

    The Telerik.Web.UI.DialogHandler.aspx does not offer built-in authentication. If the app is not public-facing or if a secure version of Telerik.Web.UI.dll is used then the app will be secured and the hacker won't be able to access or decrypt the handler.

    Regards,
    Rumen
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Back to Top