Skip to content
This repository has been archived by the owner on Feb 12, 2019. It is now read-only.

Commit

Permalink
Modified Telerik check to auto-create keys when missing.
Browse files Browse the repository at this point in the history
  • Loading branch information
@galatrash
galatrash committed Sep 15, 2017
1 parent 4b55e6b commit 617e013
Showing 1 changed file with 62 additions and 7 deletions.
69 changes: 62 additions & 7 deletions Components/Checks/CheckTelerikVulnerability.cs
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using DotNetNuke.Common;
using DotNetNuke.Common.Utilities;
using DotNetNuke.Security;
using Assembly = System.Reflection.Assembly;

namespace DNN.Modules.SecurityAnalyzer.Components.Checks
Expand All @@ -11,6 +14,15 @@ public class CheckTelerikVulnerability : IAuditCheck
{
public string Id => "CheckTelerikVulnerability";

private string[] _configKeys = {
"Telerik.AsyncUpload.ConfigurationEncryptionKey",
"Telerik.Upload.ConfigurationHashKey",
"Telerik.Web.UI.DialogParametersEncryptionKey",
};

private const string DefaultValue = "MDEyMzQ1Njc4OUFCQ0RFRjAxMjM0NTY3ODlBQkNERUYwMTIzNDU2Nzg5QUJDREVG";
private Func<string, bool> _funx = s => string.IsNullOrEmpty(s) || DefaultValue.Equals(s) || s.Length < 40;

public CheckResult Execute()
{
var result = new CheckResult(SeverityEnum.Unverified, Id);
Expand All @@ -22,12 +34,6 @@ public CheckResult Execute()
"f6dc6dd32f4f5698217c72a512ce9872c002be98cfced9a0344b46c50c1a6f02" //Telerik 2013.2.717.35
};

string[] configKeys = {
"Telerik.AsyncUpload.ConfigurationEncryptionKey",
"Telerik.Upload.ConfigurationHashKey",
"Telerik.Web.UI.DialogParametersEncryptionKey",
};

var compareVersion = new Version(2017, 2, 711);
var filePath = Path.Combine(Globals.ApplicationMapPath, "bin\\Telerik.Web.UI.dll");
result.Severity = SeverityEnum.Pass;
Expand All @@ -41,7 +47,17 @@ public CheckResult Execute()
result.Notes.Add("Telerik.Web.UI.dll assembly has't been patched.");
}

foreach (var configKey in configKeys)
if (_configKeys.Select(Config.GetSetting).Any(val => _funx(val)))
{
var err = UpdateWebConfigFile();
if (!string.IsNullOrEmpty(err))
{
result.Notes.Add("Couldn't update web.config file!");
}
}

// check after trying to add the missing key(s)
foreach (var configKey in _configKeys)
{
if (string.IsNullOrEmpty(Config.GetSetting(configKey)))
{
Expand All @@ -57,5 +73,44 @@ public CheckResult Execute()

return result;
}

private string UpdateWebConfigFile()
{
var configChanged = false;
var strError = "";
try
{
//open the web.config
var xmlConfig = Config.Load();

foreach (var configKey in _configKeys)
{
var currentKey = Config.GetSetting(configKey);
if (_funx(currentKey))
{
configChanged = true;
//create a random Telerik encryption key and add it under <appSettings>
var newKey = new PortalSecurity().CreateKey(32);
newKey = Convert.ToBase64String(Encoding.ASCII.GetBytes(newKey));
Config.AddAppSetting(xmlConfig, configKey, newKey);
}
}

if (configChanged)
{
//save a copy of the exitsing web.config
var backupFolder = string.Concat(Globals.glbConfigFolder, "Backup_", DateTime.Now.ToString("yyyyMMddHHmm"), "\\");
strError += Config.Save(xmlConfig, backupFolder + "web_.config") + Environment.NewLine;

//save the web.config
strError += Config.Save(xmlConfig) + Environment.NewLine;
}
}
catch (Exception ex)
{
strError += ex.Message;
}
return strError;
}
}
}

0 comments on commit 617e013

Please sign in to comment.