Last Updated: 07 May 2020 11:48 by ADMIN
Release R2 2020
Created on: 28 Apr 2020 17:00
Category: UI for ASP.NET AJAX
Type: Feature Request
Security Improvement in handling Telerik.Web.UI.DialogHandler errors

We recently went to address a vulnerability finding in our application whereby a user could exploit a vulnerability in the Telerik.Web.UI version 2015.3.1111.45.  Unfortunately after applying the patched version of this assembly, when running the exploit by calling [site root]/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp={xxxxxxx}. The page returns a response of:


Cannot deserialize dialog parameters. Please refresh the editor page.

Error Message:The hash is not valid!


Our security team feels this error message is revealing, and would prefer to have a generic error message.  We have a custom static generic html error message page for our site to catch all unhandled exceptions.  Unfortunately, this error from Telerik.Web.UI does not fall through to the application level and there is apparently no way to override this error message.  Please provide some kind of API or means to change the contents of this error message.

1 comment
Posted on: 07 May 2020 11:48

Hi Christopher,

The error message will be changed in the upcoming R2 2020 release scheduled to appear in the middle of next week. Please consider upgrading your app to obtain the latest security improvements incorporated in that release.

Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.