Dear Team,
We are currently using Telerik version 2013.1.0.403 in our application. One of our client has highlighted a Unrestircted Fie Upload issue concerning the RadAsyncUpload function.
The impact of the concern is that the RadAsyncUpload's AsyncUploadHandler was
configured with a static key for encrypting form data in file upload requests. This key,
PrivateKeyForEncryptionOfRadAsyncUploadConfiguration, was not changed from its
default value. As a result, an attacker could exploit this by crafting a file upload request
to /Telerik.Web.Ui.WebResource.axd?type=rau with a custom encrypted rauPostData
POST parameter.
This could allow the attacker to upload malicious files and potentially gain unauthorized
access, such as a web shell.
How do we configure the PrivateKeyForEncryptionOfRadAsyncUploadConfiguration, and what is the procedure for doing so?
Thank you in advance for your cooperation.