I ran HP Fortify tool to check vulnerable code in application code base and found the security issue in RadAjaxNamespace.js file for Cross site scripting. The detail of the scan for vulnerable code is below. Please let us know how could we fix this issue as the method seems vulnerable to cross site scripting attacks.
Abstract: The method l1b() in RadAjaxNamespace.js sends unvalidated data to a web browser
on line 1, which can result in the browser executing malicious code.
Source: RadAjaxNamespace.js:1 Read ~localScope.oe.responseText()
-1 ( function (){ob=25; if (typeof(window.RadAjaxNamespace)=="undefined" ||
typeof(window.RadAjaxNamespace.Version)=="\x75\x6e\x64efin\x65\x64" ||
window.RadAjaxNamespace.Version<ob){window.RadAjaxNamespace=
{Version:ob,IsAsyncResponse: false ,LoadingPanels:{} ,ExistingScripts:{} ,IsInRequest:
false ,MaxRequestQueueSize: 5 } ; var AjaxNS=window.RadAjaxNamespace;
AjaxNS.EventManager= {Ob:null,lb:function (){try {if (this.Ob==null){ this.Ob=[];
AjaxNS.EventManager.Add(window,"\165nload",this.ib); }}c...
0 if (typeof(Sys) != "undefined"){if (Sys.Application != null &&
Sys.Application.notifyScriptLoaded != null){Sys.Application.notifyScriptLoaded();}}
Abstract: The method l1b() in RadAjaxNamespace.js sends unvalidated data to a web browser
on line 1, which can result in the browser executing malicious code.
Source: RadAjaxNamespace.js:1 Read ~localScope.oe.responseText()
-1 ( function (){ob=25; if (typeof(window.RadAjaxNamespace)=="undefined" ||
typeof(window.RadAjaxNamespace.Version)=="\x75\x6e\x64efin\x65\x64" ||
window.RadAjaxNamespace.Version<ob){window.RadAjaxNamespace=
{Version:ob,IsAsyncResponse: false ,LoadingPanels:{} ,ExistingScripts:{} ,IsInRequest:
false ,MaxRequestQueueSize: 5 } ; var AjaxNS=window.RadAjaxNamespace;
AjaxNS.EventManager= {Ob:null,lb:function (){try {if (this.Ob==null){ this.Ob=[];
AjaxNS.EventManager.Add(window,"\165nload",this.ib); }}c...
0 if (typeof(Sys) != "undefined"){if (Sys.Application != null &&
Sys.Application.notifyScriptLoaded != null){Sys.Application.notifyScriptLoaded();}}
1 Answer, 1 is accepted
0
Hi Manish,
Could you provide more information on the product version that you are using? RadControls in its current state does not distribute RadAjaxNamspace.js file. Could you confirm there is security issue in the current available distribution of RadControls?
Regards,
Antonio Stoilkov
Telerik
Could you provide more information on the product version that you are using? RadControls in its current state does not distribute RadAjaxNamspace.js file. Could you confirm there is security issue in the current available distribution of RadControls?
Regards,
Antonio Stoilkov
Telerik
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to the blog feed now.