WebResource.axd getting Vulnerabilities on IBM App Scan test

6 posts, 0 answers
  1. Sanju
    Sanju avatar
    6 posts
    Member since:
    Apr 2019

    Posted 31 May Link to this post

    I have did app scan on a ASP.Net Application developed with Telerik Controls,

     I received following vulnerabilities related to telerik Controls 

     

    1. Catchable SSL Page Found

    2. Client Side (Javascript) Cookie References 

    3.Query parameter in SSL Request

     

    As per our Security feedback , these issues should be rectified, I had already explained that these are just assemblies which doesnt do any database operation and can be treated as false positive. But they suggested to refer Australian Cyber Security Centre report on Advisory: Vulnerable versions of Telerik
    UI being actively exploited by APT actor.

     

    Please support in order to resolve the issue. 

  2. Rumen
    Admin
    Rumen avatar
    14317 posts

    Posted 01 Jun Link to this post

    Hi Sanju,

    You are absolutely correct that the three findings of the IBM scanner are false positive.

    The vulnliability which is reported by the Australian Cyber Security Centre is explained in this article: https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization and since your app is running the latest version 2020.2.512 it is protected from all known vulnerabilities in the Telerik controls.

    The only thing I suggest you perform is to apply the recommended security settings in the web.config file - https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security#recommended-settings. You can see how to generate the keys via IIS on https://www.youtube.com/watch?v=J18zDKtiBFE

    Please let me know if you have any other questions.

    Regards,
    Rumen
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  3. Sanju
    Sanju avatar
    6 posts
    Member since:
    Apr 2019

    Posted 01 Jun in reply to Rumen Link to this post

    Dear Rumen, 

    I am using version 2017.3.913.40 How can i update the telerik on my server.

    I am not using any async file upload control, even then i should do this setting on web.config?

     

    Regards

    Sanju

  4. Rumen
    Admin
    Rumen avatar
    14317 posts

    Posted 02 Jun Link to this post

    Hi Sanju,

    if the asyncupload is not used in your app, you just need to disable its handler by setting in the web.config:

    <appSettings>
        <add key="Telerik.Web.DisableAsyncUploadHandler" value="true"/>
    </appSettings>

    You can see more on DisableAsyncUploadHandler.

    Recommendation - even when disabling file uploads, we recommend setting the main custom encryption keys, especially for versions prior to R3 2019 SP1.

    Regards,
    Rumen
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  5. Sanju
    Sanju avatar
    6 posts
    Member since:
    Apr 2019

    Posted 02 Jun in reply to Rumen Link to this post

    Thanks rumen 

     

    please let me know how to update telerik to latest version. 

    I don't have open internet on server so please let us know which url is being called for updating the telerik, so that i can whitelist. 

    Regards

    sanju

  6. Rumen
    Admin
    Rumen avatar
    14317 posts

    Posted 03 Jun Link to this post

    Hi Sanju,

    The upgrade procedure is explained in detail in this article - Upgrade to a Newer Version of Telerik® UI for ASP.NET AJAX.

    Please ask the license holder in your company to add you as a licensed developer as explained in point 3 on https://www.telerik.com/purchase/faq/devcraft since this will give you access to the paid product under your account on https://www.telerik.com/account/product-download?product=RCAJAX.

    Regards,
    Rumen
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
Back to Top