Security Flaw in Telerik.Web.UI.dll Reported

  • Updated

This article discusses the concerns that customers had with some security flaw announcements from Telerik and how this relates to Ektron.

Cryptographic Weakness
Unrestricted file upload
Insecure direct object reference
Allows JavaScriptSerializer Deserialization

These reports are not an issue for Ektron. Please see the full breakdown below. 

According to the Telerik documentation for the issues, the product is not vulnerable. For all the issues listed, you must have the handlers defined in your web.config. In a default Ektron installation none of those handlers are enabled.

 For the first issue:
"You can test whether the handler is available by requesting the following URL under you application root: Telerik.Web.UI.DialogHandler.aspx?checkHandler=true"; this for us returns a 404.

 For the second and third and forth issues:
This is not an issue for Ektron as an older version is leveraged which does not include the RadAsyncUpload.