Jeyachandran
Top achievements
Rank 1
Rank 1
Jeyachandran
asked on 25 Nov 2013, 02:23 PM
Hi,
We are facing a vulnerability (Missing XML Validation) in Ajaxtoolkit form (Animation.cs) that the input source is not been validated properly,which was identified by HPFortify tool.
We are using the Version 3.5.60501.0
Is any new version has come to overcome this issue?
If not, could you please give me a solution for this?
The below code is for you reference.
private static int GetNumber(string source, string tag)
{
using (XmlTextReader reader = new XmlTextReader(new StringReader(source)))
{
if (reader.Read())
{
while (reader.Read())
{
if (string.Compare(reader.Name, tag, StringComparison.OrdinalIgnoreCase) == 0)
return reader.LineNumber;
if (reader.NodeType == XmlNodeType.Element && !reader.IsEmptyElement)
reader.Skip();
}
}
}
return 1;
}
HP Fortify Error Description:
The method GetNumber() in Animation.cs fails to enable validation before using XML on line 238, which gives an attacker the opportunity to supply malicious input.
Appreciate your help!
Thanks,
Jeyachandran S
We are facing a vulnerability (Missing XML Validation) in Ajaxtoolkit form (Animation.cs) that the input source is not been validated properly,which was identified by HPFortify tool.
We are using the Version 3.5.60501.0
Is any new version has come to overcome this issue?
If not, could you please give me a solution for this?
The below code is for you reference.
private static int GetNumber(string source, string tag)
{
using (XmlTextReader reader = new XmlTextReader(new StringReader(source)))
{
if (reader.Read())
{
while (reader.Read())
{
if (string.Compare(reader.Name, tag, StringComparison.OrdinalIgnoreCase) == 0)
return reader.LineNumber;
if (reader.NodeType == XmlNodeType.Element && !reader.IsEmptyElement)
reader.Skip();
}
}
}
return 1;
}
HP Fortify Error Description:
The method GetNumber() in Animation.cs fails to enable validation before using XML on line 238, which gives an attacker the opportunity to supply malicious input.
Appreciate your help!
Thanks,
Jeyachandran S
1 Answer, 1 is accepted
0
Hello Jeyachandran,
Could you confirm whether the mentioned issue is related to RadControls for ASP.NET AJAX? For example you can remove all the RadControls from your page and if the issue still occurs then it is not related to RadControls.
If that is the case I can suggest that you open a thread in the respective forum (for example the forum of asp.net). If the issue is reproducible only when the RadControls are on board I can suggest that elaborate more into the steps of reproducing it.
Regards,
Danail Vasilev
Telerik
Could you confirm whether the mentioned issue is related to RadControls for ASP.NET AJAX? For example you can remove all the RadControls from your page and if the issue still occurs then it is not related to RadControls.
If that is the case I can suggest that you open a thread in the respective forum (for example the forum of asp.net). If the issue is reproducible only when the RadControls are on board I can suggest that elaborate more into the steps of reproducing it.
Regards,
Danail Vasilev
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.