Telerik Forums / UI for ASP.NET AJAX
This is a migrated thread and some comments may be shown as answers.

How to prevent possible SQL injection on Telerik.Web.UI.WebResource.axd

2 Answers 2493 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Lan
Top achievements
Rank 1
Lan asked on 03 Apr 2019, 04:06 PM

We caught this suspicious attempt through custom error page.

We got Telerik from a software company who initially developed the site,  but they didn't keep their software updated

As you can see our Telerik version is 2013.1.403.35

Came across this article talking about gaining access to File Manager. 

https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html

In our case, it seems like it is trying to gain access to RadScriptManager1.

So we don't have a active maintenance plan, what should we do to prevent that?

 

Thank you

 

There were about 100 of them and then stopped.

https://www.yourdomain.com/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1%25' UNION ALL SELECT NULL,NULL,NULL,NULL%23&_TSM_CombinedScripts_=;;System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken={key};Telerik.Web.UI, Version=2013.1.403.35, Culture=neutral, PublicKeyToken={key}&AspxAutoDetectCookieSupport=1 

https://www.yourdomain.com/Telerik.Web.UI.WebResource.axd?_TSM_HiddenField_=RadScriptManager1_TSM&compress=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL%23&_TSM_CombinedScripts_=;;System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken={key};Telerik.Web.UI, Version=2013.1.403.35, Culture=neutral, PublicKeyToken={key}&AspxAutoDetectCookieSupport=1

2 Answers, 1 is accepted

Sort by
0
Accepted
Rumen
Telerik team
answered on 08 Apr 2019, 09:03 AM
Hello Lan,

The findings and SQL injection attempts shown in this forum post are not directly related to the original issue discussed at Cryptographic Weakness (CVE-2017-9248)

This seems like a generic brute-force attempt for SQL injection, but the Telerik WebResource does not use or access databases and does not process SQL queries.

By the way, if you have the contacts of the software company which originally developed your site, you can ask them to assign you as a licensed developer to the Telerik ASP.NET AJAX license so that you can obtain the patch for Cryptographic Weakness (CVE-2017-9248). They can also log into the https://www.telerik.com/account/product-download?product=RCAJAX, download the patch and send it to you.

The other recommended approach is to purchase a license of the latest version 2019.1.215 which is stable and secure.

Best regards,
Rumen
Progress Telerik
Get quickly onboarded and successful with your Telerik and/or Kendo UI products with the Virtual Classroom free technical training, available to all active customers. Learn More.
0
Himanshu
Top achievements
Rank 1
answered on 05 May 2019, 02:22 PM
FYI Telerik web resources do not use Database anywhere. Telerik webresources do not access the DB at all, so how it could be an error of teleric?

You can the source code of the page and find out if you have added some un-validated inputs to code.

Its best practice to use Parameterized Queries to avoid SQL injection.

You can contact your developer for this issue.



Thanks
Tags
General Discussions
Asked by
Lan
Top achievements
Rank 1
Answers by
Rumen
Telerik team
Himanshu
Top achievements
Rank 1
Share this question
or