AUTHOR: Rumen Zhekov
DATE POSTED: December 09, 2019
Check the table below and apply the recommendations to fully secure the version of Telerik.Web.UI.dll used in your projects:
An attacker is able to break the RadAsyncUpload encryption and stage a malicious request
The type whitelisting feature of RadAsyncUpload is not enabled
Q1 2011 (2011.1.315)
R2 2017 SP1 (2017.2.621)
This feature is not available
Upgrade to R3 2019 SP1 or later and apply the recommended security settings.
Not possible through RadAsyncUpload, unless the attacker has access to your encryption keys
R3 2019 SP1 (2019.3.1023)
The feature is opt-in
Apply the recommended security settings.
R1 2020 (due in mid-January) and later
The feature is enabled by default
We would like to thank Markus Wulftange of Code White GmbH and Paul Taylor (@bao7uo) for assisting with making the information public.