Hi,
I upgraded my asp.net mvc project to DotNet7 and updated Telerik to ProgressĀ® TelerikĀ® UI for ASP.NET Core version 2023.3.1010, which is the latest. This Telerik package pulls in Microsoft.AspNetCore.Mvc.Core and Microsoft.AspNetCore.Mvc.Cors. Both these packages are depreciated and contain vulnerabilities as noted in CVE-2019-0548: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2019-0548
Questions:
- Do you plan on removing the reference to the depreciated packages? Apparently everything is now included in the base aspnet SDK Microsoft.NET.Sdk.Web.
- Does using this package leave us vulnerable to the issue noted in the CVE?
Thanks!
While scanning our projects for security vulnerabilites, we noticed that Telerik.UI.for.AspNet.Core 2023.2.606 references an of .NET Core 2.1 which is 5 years old and long since unsupported? This means that using Telerik.UI.for.AspNet.Core immediately introduces the critical security vulnerabilies present in .NET Core 2.1. Why does it depend on this ancient version of .NET?
Here is a new completely empty project created just now (July 2023!) and you can see the references to .NET Core 2.1:
And here's a resulting security scan of this empty project:
Is .NET Core still supported by Telerik because it seems odd this hasn't been fixed in 5 years.
We often have hacking attempts like https://our_ip/Telerik.Web.UI.WebResource.axd?....
Can I change the name of WebResource.axd to something like xyz.axd?
My application is redirected from https:\\application.domain.com to http:\\servername.domain.net
I'm using windows authentication with [authorize] control in webAPI.
Whether I call my webAPI to populate a datasource it works:
.DataSource(source => source
.Custom()
.Transport(transport =>
{
transport.Read(new
{
url = $"{WebApiUrl}",
xhrFields = new { withCredentials = true },
DataType = "json",
Data = "forgeryToken"
});
})
Instead if I use the HTTPCLIENT class it seems that the request loses the credentials and it returns an unauthorize error 401
services.AddHttpClient<Class>()
.ConfigurePrimaryHttpMessageHandler(handler =>
new HttpClientHandler()
{
AutomaticDecompression = System.Net.DecompressionMethods.GZip,
UseDefaultCredentials = true,
});
Whether I don't use the redirection and I call directly http:\\servername.domain.net it works.
How can I use HTTPCLIENT class to mantain the credential?
I know it's not related to telerik, but I don't understand why with telerik it works and I hope that someone can help me.
Thank you
In my webAPI i'm using the [Authorize] control.
When I call my webAPI to populate a grid or a dropdown with this code
.DataSource(source=>source.Custom()
.Transport(transport=>transport.Read(read=>
{
read.Url($"{WebApiUrl}")
.DataType("json").Data("forgeryToken");
})
)
.PageSize(12)
only in localhost it returns this error <Failed to load resource: the server responded with a status of 401 (Unauthorized)> .
Instead if I use an ajax call in javascript it works
$.ajax({
url: `${WebApiUrl}`,
method: 'get',
crossDomain: true,
cache: false,
xhrFields: {
withCredentials: true,
},
success: function (data) {
options.success(data)
}
})
I've searched in google but i didn't find anything that can help me. Do I have to pass the credentials somehow?
Thank you
I am using the telerik report designer to build my reports and html report viewer to display them.
When I use MySql.Data.MyqlClient with a standard connection string (server, uid etc) everything works fine.
When I use a ODBC dsn connection however, the connection works on the report builder but on the report viewer it says the following:
An error has occurred while processing Table 'table2':Unable to establish a connection to the database. Please verify that your connection string is valid. In case you use a named connection string from the application configuration file, make sure the name is correct and the connection string settings are present in the configuration file of your application.------------- InnerException -------------Keyword not supported: 'dsn'
I do have System.Data.Odbc installed as this is what I used for my db connections and this is also what the report builder uses.
Telerik Reporting v16.2
.Net core 6 (long term support)
While Security Testing of application through OWASP Zap tool Medium risk level alert 'Absence of Anti-csrf Token' is popping up for form tag in Kendo.all.min.js
Even I tried to update kendo version to 2022 (Latest) in Kendo.all.min.js
Are there any ways to resolve it ?