Jul 10, 2017, 8:45 PM
Telerik's ASP.NET AsyncUploader (RadAsyncUpload) is vulnerable to arbitrary file uploads. By abusing a default hard-coded key (which can be changed, but often is not), a malicious actor can decrypt a server-side encrypted parameter and modify the file upload location to any writable path of the web server user. This was verified to work through version 2017.2.503 (released May 3rd, 2017).