Rank 1
When I was browsing the DOM elements in the radWindow, I discovered a hidden textbox called ctl00_phMaster_radWindowTest_ClientState. My colleague received a report that at one point this hidden textbox (..._ClientState) had a value in it.
I would like to know:
- what is the role/function of the ClientState?
- under what conditions do the ClientState get populated?
- what values does the ClientState contain?
I use the radWindow in a secure site and don't want ClientState exposing any sensitive information.
Thank you,
Arie
6 Answers, 1 is accepted
Straight to your questions:
1) The ClientState hidden filed is used to send information about changes done on the client to the server. It most often concerns layout configuration, e.g if the width is change through the client-side set_width method and the control needs this information on the server, this is written in the hidden field. This field is rendered by the base class of RadControls and the RadWindow is particular does not actually use it but gets it rendered by the base class.
2) The ClientState hidden field is used for certain functionality for certain controls - there are not exact universal rules - its role it send configuration information. E.g the RadWindow control is entirely created on the client, including its UI and thus it does not need to send client changes back to the server.
3) The ClientState field contains some specific configuration settings - you can alert its value to see what it holds. E.g the RadPane control uses it and it holds information about minWidth, minHeight, locked, etc properties because they are need on the server to have the control working property.
4) There are no security issues related to the ClientState field - it does not expose any additional information, different from the one which is already on the page. In addition, it most often contains some basic layout configuration properties and if somebody can change those, he does not need to do it through the ClientState field because he will be able to directly do it without using this information.
I hope that my explanation is detailed enough, let me know if you have additional questions.
Svetlina
the Telerik team
Rank 1
I have also same vulnerability issue with the Client state for RadscriptManager.
Can you guys help me
Hi Payal,
Please upgrade to the latest 2023 R2 SP1 version 2023.2.714. If you still experience any issues open a support ticket where you can privately share the vulnerability scanner report and the steps to reproduce the vulnerability in a reliable way. Thank you!
Rank 1
Arie
Rank 1
What about XSS attacks injecting some javascript into the ClientState hidden field?
How to protect against that?
AppScan found issues with this for the RadDateInput field.
Thanks
As my colleague stated in the previous reply there are no known security issues with the ClientState field. Our code goes through several automated tools that test for security vulnerabilities and also has been tested by third party vendors. If you have found some issue it is possible that it in the latest version and we would appreciate if you could provide more information on the exact issue you are experiencing, but we are not aware of any risks as of now.
All the best,
Marin
the Telerik team
Rank 1
Hi ,
I'm seeing buffer overflow attack with ClientState hidden field on page...Any idea how can i prevent it?
they can temper hidden clientstate filed and post request
ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Rank 1
I'm seeing buffer overflow attack with ClientState hidden field on page...Any idea how can i prevent it?
they can temper hidden clientstate filed and post request
ctl00_ctl00_MainContent_MainContent_MyRequestGrid1_MyRequestCustomRadGrid_ClientState=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA