Are you a web dev? FFS: update your libraries!

I’ve mentioned this a couple of times: I log 404 errors on this, my blogging site. A couple of valid reasons I suppose: to make sure that the content I upload is accessible, and to ensure that my URL redirections to my older blog (on a new domain) are working properly.

Of course there’s still the fun aspect to it: watching what the script kiddies are trying to access in order to hack the site. In the past, it’s been mostly well-known PHP pages (presumably from WordPress) that might not have been fixed properly from some reported vulnerability. A few days ago I reported on a weird PHP access attempt, from an already patched issue.

In that last post I quickly mentioned in an offhand manner that someone was attempting to access a Telerik ASPX page on my site. Yeah, me, the CTO of Telerik’s biggest competitor using their libraries? Give me a break.

But let me look at that issue in slightly more detail. In essence, some script kiddie was trying to access telerik.web.ui.dialoghandler.aspx. Wut? A very quick search with Google got me to this page, where the author not only identifies the issue (Cryptographic Weakness: CVE-2017-9248, but in essence, you can access any file in any folder on the web server – hmm, web.config anyone?) but then goes into detail on how to exploit the vulnerability. Including a repo on GitHub of the code needed, so you don’t have to start from scratch.

The important thing about all this is? TELERIK FIXED THIS IN 2017! Three years ago as I write this. In other words, there are still sites out there that have this vulnerability because their web dev team has not updated the underlying library. Or, to be honest, since Telerik sells their libraries the same way DevExpress does, via an annual subscription, they have not kept (that is, paid) their subscriptions up to date. FFS.

And that’s the real point of this post. Are you a web dev? Are you using a third-party commercial library for your sites? Then make sure you keep it up to date. We, DevExpress, issue security updates and publicize them whenever needed, just like our competitors do. Are you using open source libraries? How often do you check the repos for updates? How about this one: how often do you update your browser? How about your users’ browsers? Still on IE11 are you?

It’s simple: if you don’t keep up, your web sites could be compromised. And from that your readers/users will be.

Me, with this site? Yes, I worry about it. Which is why I’ve made changes over the years since the underlying engine went open source, so that the obvious entry points no longer exist, and is why I’m converting the entire back-end to DevExpress and my code.

Very broken Mustang Mach1

Loading similar posts...   Loading links to posts on similar topics...

2 Responses

#1 Tudor said...
13-Jul-20 6:27 AM

Very often such sites are build for an 'enterprise' by some third-party contractor across the world, and after the site is completed, there is nobody to update the application for years, until eventually is replaced completely..

julian m bucknall avatar
#2 julian m bucknall said...
13-Jul-20 9:52 AM

@Tudor: True enough. There's an corporate app I use weekly (nothing to do with DevExpress or my work) that uses a 3-year-old version of Kendo. I've told them about it, saying just update it, it's relatively cheap, but all I got back was crickets.

Cheers, Julian

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response