Prerequisites for an Attack
An attacker can break the RadAsyncUpload encryption (or have prior knowledge of your custom encryption keys) and stage a malicious request.
The type whitelisting feature of RadAsyncUpload is not enabled (see AllowedCustomMetaDataTypes appSettings key).
To make sure you are not vulnerable we recommend that you upgrade to R1 2020 or later as shown in the diagram below:
For more information, please check the table below and apply the recommendations to fully secure the version of Telerik.Web.UI.dll used in your projects:
|Telerik.Web.UI.dll versions||An attacker is able to break the RadAsyncUpload encryption and stage a malicious request||The type whitelisting feature of RadAsyncUpload is not enabled||Recommendation|
|Q1 2011 (2011.1.315) to R2 2017 SP1 (2017.2.621)||Possible||This feature is not available||Upgrade to R3 2019 SP1 or later and apply the recommended security settings.|
|R2 2017 SP2 (2017.2.711) to R3 2019 (2019.3.917)||Not possible through RadAsyncUpload, unless the attacker has access to your encryption keys||This feature is not available||Upgrade to R3 2019 SP1 or later and apply the recommended security settings.|
|R3 2019 SP1 (2019.3.1023)||Not possible through RadAsyncUpload, unless the attacker has access to your encryption keys||The feature is opt-in||Apply the recommended security settings.|
|R1 2020 (2020.1.114) and later||Not possible through RadAsyncUpload, unless the attacker has access to your encryption keys||The feature is enabled by default||Apply the recommended security settings.|
How to Obtain R1 2020 or Later?
If you have an active license go the the Downloads section, look for version 2020.1.114 or later in the Version dropdown and download the Telerik_UI_for_ASP.NET_AJAX_2020_1_114_Dev_hotfix.zip archive. You can see how to update your project here. For any questions, you can contact us via the support ticketing system.
If you don't have an active license, you can reach out the Telerik support by opening a General Feedback ticket.
We would like to thank Markus Wulftange of Code White GmbH and Paul Taylor (@bao7uo) for assisting with making the information public.