Telerik Controls Q1 2013 SP1: A Comprehensive Guide to the Latest Features and Fixes
Telerik's ASP.NET Persistence Framework provides out of the box mechanism for preserving end user settings of RadControls, such as selected indexes, expanded states, position and so on between sessions. In addition you can save custom key-value pairs to fulfill your scenario requirements. See demos
Telerik Controls Q1 2013 SP1
Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the software's underlying host. The Managed Security Services (MSS) team at Bishop Fox has identified and exploited internet-facing instances of Telerik UI affected by this vulnerability for our clients. Since Telerik has just responded to this issue by releasing a security advisory for CVE-2019-18935, we're sharing our knowledge about it here in an effort to raise awareness about the severity of this vulnerability, and to encourage affected users to patch and securely configure this software. Patching instructions are included at the end of this post.
Targeting the Telerik.TelerikUI Assembly In an ASP.NET AJAX web application, if you are using any version of the Telerik UI for ASP.NET AJAX control, you may be vulnerable to CVE-2013-2157 (also known as RadAsyncUpload), a deserialization vulnerability. We have tested and verified that the following telerik ui controls are vulnerable to CVE-2013-2157:
There are two primary ways to exploit the vulnerability, each of which occurs during a deserialization of a class contained in Telerik.TelerikUI.Web.UI.Controls. This deserialization occurs when the control is loaded. This data, along with other information, is used to create a thread's stack frame and CPU registers.