Telerik Security Patch

UPDATED September 6, 2017

Telerik has released another 2 security notices involving their RadAsyncControl component, and provided newly patched files to address these issues: Insecure Direct Object Reference Unrestricted File Upload

This component is not used in OneWeb, and as a result OneWeb sites are not vulnerable to this issue.  However, in case you have an application that makes use of the component, please update the Telerik.Web.UI.dll file as directed in their instructions.

OneWeb Version Patch file
7.2.6407 7.2.6407 Telerik Patch file
7.2.5799 7.2.5799 Telerik Patch file
7.1.5610 Telerik Patch file
7.0.5365 7.0.5365 Telerik Patch file
7.0.5172 7.0.5172 Telerik Patch file
7.0.5070 7.0.5070 Telerik Patch file


Earlier details:


Telerik has released a security patch for their RadControls component suite, which is used in OneWeb for the rich-text editor along with a number of other user-interface components, such as the grids and tabbed interfaces.  Please download the patch appropriate for your version of OneWeb, unzip the file, and place it in the /bin folder of your webroot.

Further details can be found on Telerik's notice here.

The security issue involves the creation of pop-up dialogues used by the editor, and allows a hacker to determine the cryptographic keys used by the system to encrypt data.  This will not expose passwords or other sensitive data from OneWeb, but it may allow the user to make arbitrary uploads.  OneWeb quarantines all uploaded files so that unless they are processed during a normal media upload, they will not normally be accessible to public users.

As always, it is prudent to maintain strong passwords, keep access limited to only those who require it, utilize secure (https) access to your site to prevent man-in-the-middle attacks, and keep OneWeb updated to the latest version.