Telerik Web UI Insecure Direct Object Reference
Description
The Telerik UI for ASP.NET AJAX component contains an Insecure Direct Object Reference vulnerability (CVE-2017-11357) that allows attackers to bypass security controls in the RadAsyncUpload feature. The component processes user-supplied file upload requests without proper validation or authorization checks, enabling unauthorized file uploads to arbitrary locations on the server.
Note: This detection is based on the identified version of Telerik UI. While the vulnerability can lead to remote code execution, actual exploitation has not been confirmed in this instance.
Remediation
Take the following steps to remediate this vulnerability:<br/><br/>1. <strong>Upgrade Telerik UI:</strong> Update to the latest version of Telerik.Web.UI for ASP.NET AJAX immediately. Consult the Telerik Release History to identify the appropriate patched version.<br/><br/>2. <strong>Enable Security Features:</strong> Configure RadAsyncUpload with proper security settings by adding the following to your web.config:<br/><pre><appSettings> <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_UNIQUE_STRONG_KEY" /> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_UNIQUE_STRONG_KEY" /> </appSettings></pre><br/>3. <strong>Implement File Type Validation:</strong> Restrict allowed file extensions and validate file content, not just extensions.<br/><br/>4. <strong>Apply Least Privilege:</strong> Ensure the upload directory has minimal permissions and is located outside the web root if possible.<br/><br/>5. <strong>Review Security Guide:</strong> Follow all recommendations in the official RadAsyncUpload Security Guide at https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security