Unrestricted File Upload

1 Answer 403 Views
AsyncUpload
Atul Alurkar
Top achievements
Rank 1
Atul Alurkar asked on 08 Apr 2024, 08:06 AM

Dear Team,

We are currently using Telerik version 2013.1.0.403 in our application. One of our client has highlighted a Unrestircted Fie Upload issue concerning the RadAsyncUpload function.

The impact of the concern is that the RadAsyncUpload's AsyncUploadHandler was configured with a static key for encrypting form data in file upload requests. This key, PrivateKeyForEncryptionOfRadAsyncUploadConfiguration, was not changed from its default value. As a result, an attacker could exploit this by crafting a file upload request to /Telerik.Web.Ui.WebResource.axd?type=rau with a custom encrypted rauPostData POST parameter.

This could allow the attacker to upload malicious files and potentially gain unauthorized access, such as a web shell.

How do we configure the PrivateKeyForEncryptionOfRadAsyncUploadConfiguration, and what is the procedure for doing so?
Thank you in advance for your cooperation.

1 Answer, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 08 Apr 2024, 08:33 AM

Hi Atul,

The vulnerability associated with Unrestricted File Upload in RadAsyncUpload is comprehensively discussed in the referenced article: Unrestricted File Upload in RadAsyncUpload.

Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2014-2217 and CVE-2017-11317 do not prevent it. You can find the installation of version 2020.1.114 attached to my reply in your ticket 1644874 (RadAsyncUpload Deserialization Vulnerability).

You can find more details and instructions at Allows JavaScriptSerializer Deserialization and Blue Mockingbird Vulnerability Picks up Steam—Telerik Guidance.

    Regards,
    Rumen
    Progress Telerik

    Stay tuned by visiting our public roadmap and feedback portal pages! Or perhaps, if you are new to our Telerik family, check out our getting started resources
    Atul Alurkar
    Top achievements
    Rank 1
    commented on 08 Apr 2024, 11:10 AM

    Hi Rumen,

    Thank you for your information.

    A client has raised this issue, and we aim to resolve it early. We suppose that upgrading and conducting a regression of the entire application to the latest Telerik version may take some time.

    In the meantime, how can we modify the value of the default key mentioned in the ticket ? 

    Thank you 

    Rumen
    Telerik team
    commented on 08 Apr 2024, 11:17 AM

    You can use the IIS MachineKey Validation Key generator to get the encryption keys (make sure to avoid the ,IsolateApps portion). You can see the steps of how to generate the security keys in this YouTube video. Do not forget to select the HMACSHA256 validation method that is the recommended one to generate the keys.

    Note that even by updating the security keys for the following security attributes of RadAsyncUpload

            <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
            <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP&" />
    your app will still be exposed and not protected to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability.

    The only reliable way to prevent it is to upgrade to 2020.1.114 or newer. The best approach is to upgrade to the latest version.

    Tags
    AsyncUpload
    Asked by
    Atul Alurkar
    Top achievements
    Rank 1
    Answers by
    Rumen
    Telerik team
    Share this question
    or