Telerik.Web.UI.WebResource.axd strange errors/web.config entries appeared

8 posts, 0 answers
  1. Jon
    Jon avatar
    34 posts
    Member since:
    Apr 2009

    Posted 06 Oct Link to this post

    Had a few sites on the same server that suddenly stopped working and started having issues

    looking into the issues found the following weird entry appear in the root web.config:

     

    <location path="Telerik.Web.UI.WebResource.axd">
        <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    Also found the following folders had been created:

    "ScriptResource.axd" - Blank web.config

    "Telerik.Web.UI.WebResource.axd" - contains a web.config as follows:

    <configaration>
    <location path="Telerik.Web.UI.WebResource.axd">
    <system.webServer>
    <httpRedirect enabled="true" destination="ROOT" httpResponseStatus="Permanent" />
    </system.webServer>
    </location>
    </configaration>

    "WebResource.axd" - Blank web.config

    Anyone else ever seen this?

    Is it a hack?

    Thanks

     

  2. Peter Milchev
    Admin
    Peter Milchev avatar
    845 posts

    Posted 08 Oct Link to this post

    Hello Jon,

    If you are using a version prior to R1 2020, then this is a probable hack attack leveraging this vulnerability:

    If you have R1 2020 or later and all the encryption keys set to a strong value, then it is less likely to be an attack via the Telerik controls. 

    The first entry is you have shared seems the one we suggest for loading properly the resources:

    The rest of the snippets and folders might be a result of an attack.

    We recommend upgrading all public sites you maintain to at least R1 2020 version and setting the encryption keys with strong values generated similarly to the way demonstrated here:

    Regards,
    Peter Milchev
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

  3. Jon
    Jon avatar
    34 posts
    Member since:
    Apr 2009

    Posted 08 Oct in reply to Peter Milchev Link to this post

    Been using these tools for years 'encryption keys' is the first I have EVER heard that they had to be set also....

    So is it now the case that EVERY site I have running telerik now SHOULD/MUST have encryption keys set?

     

  4. Peter Milchev
    Admin
    Peter Milchev avatar
    845 posts

    Posted 08 Oct Link to this post

    Hello Jon,

    The Encryption key is available since 2012, while the ConfigurationHashKey is available as of R1 2017.

    Also, we have sent numerous mass emails recommending setting all of these keys for better security. A site would be able to work even without them but it is nearly mandatory for better security.

    Another highly recommended, almost mandatory, is upgrading to at least R1 2020 for maximum security against the Blue Mockingbird vulnerability:

    Regards,
    Peter Milchev
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

  5. Jon
    Jon avatar
    34 posts
    Member since:
    Apr 2009

    Posted 08 Oct in reply to Peter Milchev Link to this post

    hmmm

    I would have remembered seeing those emails...

    The site in question didn't/doesn't use any upload

    so I basically have to set both Encryption & ConfigurationHashKey 

    just uploading Telerik dll to the bin folder from the latest release is all that's needed and these keys set?

    How do I know if setting the keys has worked? will the site simply not load of it doesn't?

  6. Rumen
    Admin
    Rumen avatar
    14361 posts

    Posted 12 Oct Link to this post

    Hi Jon,

    The only mandatory step is to upgrade to Telerik.Web.UI.dll version 2020.1.114 (R1 2020) or later.

    If the ConfigurationEncryptionKey and ConfigurationHashKey keys are not set in the web.config, the control will use the machine key to encrypt (protect) its configuration settings.

    There is no way to find out whether the configuration data is encrypted via the machinekey or custom keys since this is going to be a security breach. Both options are secure. The custom keys just give you the ability to use different keys in the different apps you have instead of using one single machine key for all of them. This is a kind of diversification.

    Best Regards,
    Rumen
    Progress Telerik

    Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

  7. Jon
    Jon avatar
    34 posts
    Member since:
    Apr 2009

    Posted 12 Oct in reply to Rumen Link to this post

    ok great so just updating the DLLS is good enough for now
  8. Rumen
    Admin
    Rumen avatar
    14361 posts

    Posted 12 Oct Link to this post

    Yes, exactly! This upgrade is the most important step.

    Best regards,
    Rumen

Back to Top