Telerik Forums / UI for ASP.NET AJAX
This is a migrated thread and some comments may be shown as answers.

Cross-site scripting - vulnerability scan

5 Answers 745 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Steve
Top achievements
Rank 1
Steve asked on 10 Sep 2010, 09:22 PM
We have an issue with our security scans that highlight a lot cross-site issues in Telerik. They are using version 2009.1.402.0. I need to find a release with this fixed.

Here is a sample.

============================================================================

2. Cross-site scripting (reflected)

Summary
Severity:   High
Confidence:   Certain
Host:   https://www.xxx.com
Path:   /atlas/Telerik.Web.UI.WebResource.axd

Issue detail
The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50c33'%3balert(1)//8f999a4adfd was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 50c33';alert(1)//8f999a4adfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.


=========================================================================================

I have searched release notes and I have not been able to find a fix for this issue.

5 Answers, 1 is accepted

Sort by
0
Kamen Bundev
Telerik team
answered on 13 Sep 2010, 08:43 AM
Hi Steve,

Yes, this issue was fixed some time ago. Can you check if upgrading to the latest release of RadControls for ASP.NET AJAX fixes it for you?

All the best,
Kamen Bundev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
0
Steve
Top achievements
Rank 1
answered on 13 Sep 2010, 03:42 PM
In what version was this fixed?
0
Kamen Bundev
Telerik team
answered on 14 Sep 2010, 08:47 AM
Hi Steve,

The fix was rolled out in Q3 2009 SP2.

All the best,
Kamen Bundev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
0
Harold
Top achievements
Rank 1
answered on 29 Jun 2011, 09:58 PM
We are using version 2009.3.1121.20 of the Telerik.Web.UI DLL.  We failed a penetration test for cross site scripting and when we switched the telerik:RadScriptManager to asp:ScriptManager we passed the penetration test.  Can you tell me which version of your suite fixed this issue.  This is a ASP.NET 2.0 application so we cannot use the most current version of your tools.
Thanks, Harold
0
Simon
Telerik team
answered on 30 Jun 2011, 11:02 AM
Hi Harold,

I looked through the release notes up until now and could not find any specific mention of this issue. Is it possible for you to just upgrade to a more recent version to test for yourself whether the issue got resolved? I suggest you do that incrementally, first with the 2010.1 release and then with the next official release until 2011.1 (this one does not have a .net 2.0 build so it will not be useful to you).

I hope this helps.

All the best,
Simon
the Telerik team

Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.

Tags
General Discussions
Asked by
Steve
Top achievements
Rank 1
Answers by
Kamen Bundev
Telerik team
Steve
Top achievements
Rank 1
Harold
Top achievements
Rank 1
Simon
Telerik team
Share this question
or