Mehul Harry's DevExpress Blog

This Blog


Mehul Harry is the DevExpress Web Program Manager. Follow him on twitter: @Mehulharry

Subscribe (RSS, Email)


August 2015 - Posts

  • Update Ajax Control Toolkit to Patch Critical Security Vulnerability

    If you are using the ASP.NET AJAX Control Toolkit, you'll want to make sure it's updated to the latest version as it patches a critical security vulnerability.

    The "Directory Traversal" vulnerability affects ASP.NET AJAX Control Toolkit versions prior to v15.1.x.

    The vulnerability existed prior to DevExpress taking over the ASP.NET AJAX Control Toolkit. DevExpress has patched this vulnerability with our first release of the ASP.NET AJAX Control Toolkit v15.1.


    Brian Cardinale, Principal Application Security Consultant, notified us of the vulnerability last year (thanks Brian!). To help you understand the vulnerability, I'll use Brian's excellent description:

    There is a File Write Directory Traversal issue inside the AjaxControlToolkit “AjaxFileUpload” control. When uploading a file using this control, the framework should write the file to the environments “temp” directory. The framework is not validating the “fileid” parameter from being modified. This parameter is later used in the creation of the path in the “temp” directory. This parameter can be modified to write to any location on the disk, as long as file system permissions allows. This exploit can lead to Remote Code Execution if an attacker is able to upload an .aspx file into the web directory. - Brian Cardinale

    To learn more, check out Brian's blog post on this issue.

    Update to v15.1.x (or higher)

    To patch this vulnerability, upgrade your ASP.NET AJAX Control Toolkit version to the latest versions. You can download our useful installer here:

    Or use the Nuget libraries:

    ASP.NET AJAX Control Toolkit Nuget package

    Related posts:

  • ASP.NET AJAX Control Toolkit - v15.1.3 - Maintenance update available

    A new release of the ASP.NET AJAX Control Toolkit, v15.1.3, is now available. We've included several bug fixes and new features.

    You can download the latest release here:

    ASP.NET AJAX Control Toolkit v15.1

    Click the download button above and the get the latest bits.

    Or use the Nuget package: ASP.NET AJAX Control Toolkit Nuget package

    (If you missed news about the latest v15.1 ASP.NET AJAX Control Toolkit release then please read this helpful blog post.)

    v15.1.3 Includes:

    1. Bug fixes

    • Item 15788 - UpdatePanelAnimationExtender OnUpdating runs on every postback
    • Item 27072 - SliderExtender within UpdatePanel causes vertical scrollbar to scroll in Chrome and Safari
    • Item 27243 - Double HTML attributes rendered by TabPanel
    • Item 27294 - Issue with multiple AsyncFileUpload Control
    • Item 27369 - AjaxFileUpload: Drag and Drop is not working on IE10 for Windows 7
    • Item 27373 - PieChart doesn't render all segments correctly
    • Item 27434 - Keyboard Selection not Working
    • Item 27470 - TextBoxWatermarkExtender causes autocompletetype not to work
    • Item 27481 - Error in Masked edit validator
    • Item 27511 - img/png
    • Item 27547 - HtmlEditorExtender Causing Javascript Error on IE 11
    • Item 27566 - Multiple image upload using html editor extender control
    • Item 27595 - Mask Edit Extender Issue
    • Item 27612 - Editor Extender JAVA script error
    • Item 27655 - Corrupted Files in AjaxFileUpload
    • Item 27717 - HtmlEditorExtender error with Chrome 36.0.1985.125
    • Item 27735 - FileUpload Control Displays Upload Button with No Files
    • Item 27745 - Javascript error in Chrome with HtmlEditorExtender: Uncaught IndexSizeError
    • Item 27764 - MaskedEditExtender type Date fails with "hu-HU" culture
    • Item 27812 - Version 15.1 TabContainer CSS Inconsistency for Disabled Tabs
    • Item 27813 - Focus hidden tabs
    • Item 27844 - CascadingDropDown populated event not working as (I) expected
    • Item 27846 - TabContainer in 15.1
    • Item 27853 - AjaxControlToolkit 15.1 Combobox VS2013
    • Item 27855 - Where is ComboBox predefind theme images?
    • Item 27857 - SliderExtender handle image align broken in vertical orientation
    • Item 27858 - MaskedEdit extender culture setting issue
    • Item 27860 - big issue: htmlextender bug
    • Item 27865 - Using AJAX Password Strength with Modal Popup
    • Item 27875 - v15.1.x ValidatorCallout static images - incorrect path with ScriptManager.EnableCdn= false
    • Item 27892 - HtmlEditorExtender: BackColor and ForeColor buttons is not working

    2. Features and improvements:

    • Item 8626 - Slideshow effects
    • Item 27075 - Table Border/CellPadding/CellSpacing - Replace with CSS

    3. Sample site updates:

    4. Internal improvements:

    Client testing introduced.


    Helpful documentation articles are available on the CodePlex site:


    Get the latest ASP.NET AJAX Control Toolkit v15.1.3 release and let us know your feedback by reporting it here.

    How to upgrade to v15.1.3

    Please take a look at the 'How to upgrade to v15.1 release' article to see how to migrate your existing ASP.NET AJAX Control Toolkit projects to the new v15.1.3 release.

    Try DevExpress ASP.NET

    We’d like to thank you for installing the DevExpress Edition of the AJAX Control Toolkit and look forward to your feedback as you begin its use.

    When we took over the fabulous ASP.NET AJAX Control Toolkit, our goal was to reach those web developers who want to use great web user interface controls for their web projects and DevExpress ASP.NET provides that and much more.

    Try the free DevExpress 30 day trial.


    Twitter: @mehulharry

    Your Next Great .NET App Starts Here

    Year after year, .NET developers such as yourself consistently vote DevExpress products #1.

    Experience the DevExpress difference for yourself and download a free 30-day trial of all our products today: (free support is included during your evaluation).

  • ASP.NET vNext - DevExpress Plans for ASP.NET 5

    Update: Announcing DevExtreme ASP.NET 5 TagHelpers - Available Now

    DevExpress ASP.NET customers have been curious about the changes coming with ASP.NET vNext (aka ASP.NET 5), so let me take this opportunity to announce our plans:

    1. We will support ASP.NET 5.
    2. In fact, we're working hard on an upcoming release that will support ASP.NET 5.

    The new version now has an official name, "ASP.NET 5" and for the rest of this post, I'll use that term. To be clear, ASP.NET vNext is Microsoft's term for the next version of ASP.NET that they are working on.

    Which release will support ASP.NET 5?

    The specific DevExpress release is still to be determined because as ASP.NET 5 is still in beta. Here's Microsoft schedule:

    ASP.NET 5 Schedule and Roadmap

    Because ASP.NET 5 will be released in early 2016, we expect to support ASP.NET 5 with DXperience v16.1 release.

    There is a possibility that we could release some bits in DXperience v15.2. Take a look at the feedback section below for more info.

    What is ASP.NET 5?

    ASP.NET 5 is a significant redesign of ASP.NET. -Daniel Roth, ASP.NET 5 Docs

    The Microsoft ASP.NET team has been working hard on the next version of ASP.NET. And there are major changes. And yet, many of the things that you know, will still work the same.

    To understand what's coming with ASP.NET 5, I highly recommend you:

    1. Watch this video:

    Introduction to ASP.NET 5
    2. Or, read the docs.
    3. Or, check out the links that Jon Galloway has compilied on this blog post: A 30 Minute Look At ASP.NET vNext
    4. Or, check out any of the other great resources listed here:
    5. Or, all of the above.

    DevExpress Plans

    Here is our plan to support ASP.NET 5:

    New Runtimes

    Before I discuss our plans, it's important to understand the different runtimes. This image shows the two major runtimes:

    .NET 2015

    Full .NET Framework 4.6

    The .NET Framework 4.6 runtime is an incremental upgrade to the existing .NET v4.5 line. And therefore, it's backward compatible and provides all the framework features (WebForms, MVC 5.x, etc.). This framework provides the easiest path for upgrading an existing .NET project.

    All DevExpress ASP.NET WebForms controls and MVC extensions work with the Microsoft .NET Framework 4.6 runtime today.

    .NET Core 5

    As Daniel Roth mentioned above: "ASP.NET 5 is a significant redesign of ASP.NET". And at the heart of it is the new .NET Core 5 runtime.

    The .NET Core 5 runtime is a new implementation of .NET that is server-focused and optimized for server and cloud workloads. It's also cross-platform which means you can run it on Linux and OSX:

    .NET Core 5 is a modular runtime and library implementation that includes a subset of the .NET Framework. Currently it is feature complete on Windows, and in-progress builds exist for both Linux and OS X. -Steve Smith, ASP.NET 5 Docs

    But writing for ASP.NET 5, using .NET Core 5, is very different than what you know today. WebForms and MVC 5.x are not included in this framework. It has been architected in a very different way for web development. Therefore, you cannot use current DevExpress ASP.NET controls with .NET Core 5.

    However! There is good news. ASP.NET 5 favors client-side libraries for user interface. Therefore, we plan to leverage DevExtreme (DevExpress' client-side JavaScript framework and widgets).

    Short Term Goal:

    We plan to create wrappers and provide an easy experience for you to use DevExtreme widgets with ASP.NET 5. We have started this development work already and our non-visual documents library: Spreadsheet, RichEdit(Word), and PDF processing are close to being done.

    Long Term Goal:

    While the DevExtreme UI widget library does not have as many controls as our ASP.NET subscription, it is growing with each release.

    And finally, we have do have some interesting ideas to bring you rich and powerful controls for ASP.NET 5. Stay tuned.


    If you are highly interested in ASP.NET 5 and DevExpress integration, then please leave a comment below. Your feedback will help us decide on what bits and which release we may target.


    Your Next Great .NET App Starts Here

    Year after year, .NET developers such as yourself consistently vote DevExpress products #1.

    Experience the DevExpress difference for yourself and download a free 30-day trial of all our products today: (free support is included during your evaluation).


Chat is one of the many ways you can contact members of the DevExpress Team.
We are available Monday-Friday between 7:30am and 4:30pm Pacific Time.

If you need additional product information, write to us at or call us at +1 (818) 844-3383


DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, Delphi, HTML5 or iOS & Android development. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible.

Copyright © 1998-2018 Developer Express Inc.
All trademarks or registered trademarks are property of their respective owners