Injection vulnerability in RadButton
Our company is using HCL AppScan to expose possible security vulnerabilities. Recently, the scans have started returning issues of high severity related to Blind LDAP Injection because the parameters of the hidden ClientState for RadButtons, such as buttonAbort_ClientState, can be appended to affect the response.
The test uses the following logic:
Four requests are sent.
The last is logically equal to the originalThe next-to-last is different. Any others are for control purposes.A comparison of the last two responses with the first (the last is similar to it, and the next-to-last is different) indicates that the application is vulnerable.
These are not LDAP issues since LDAP is not implemented on the server but our security team in concerned this is a vulnerability because the parameter can be appended without sanitization.
Is there legitimate reason for concern? If so do you have any suggestions for remediation. We are using version 2023.1.323.45.
Regards, Joel
1 Answer, 1 is accepted
Hello Joel,
The _ClientState field is something standard for an IScriptControl instance, such as our controls. Its function is similar to what the ViewState does for the server.
The information there is parsed (JSON deserialization) by our controls and potentially used to set properties. We do not use it for any LDAP connection, or SQL statements or execute it as commands.
My best guess at this point is that this is a static code scan tool that flags all hidden fields with such a potential threat.
If the security team believes this is a real Vulnerability, we will require the steps to reliably reproduce the vulnerability. Once we have those, our security team will investigate and eliminate the security threat.
If you must, you can disable the client state using the following JavaScript override.
<script>
Telerik.Web.UI.RadButton.prototype.saveClientState = function() {
return "";
}
</script>This will clear the value of the hidden field rendered to store the Button's client state.
Note: By disabling the client side, the button will not persist, hence you might lose those benefits.
Regards,
Attila Antal
Progress Telerik