473,651 Members | 2,551 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

A potentially dangerous querystring ... [ValidateRequest]

All,
When i use .net FRamework 1.1, for my web application, i get an error
saying "A potentially dangerous querystring was detected from the
client...."
I have read the posts related to this and it seems this is due to some
SECURITY FEATURE in 1.1!!!

My code used to work in 1.0!!! now when the web server gets upgraded
to 1.1, my app. breaks.

So, If i introduce a validateRequest = false in Web.config, i can
overcome this error without ANY Code change.

BUT unfortunately, assume this scenario for me..I have 2 deployment
servers ServerA [with framework 1.1 installed] and Server B [ for some
reason has not upgraded to 1.1 as of now.] [which means i must
continue to support both 1.0 and 1.1 for sometime now].

So with this change in 1.1, does this mean that i cannot have one
"common Web.config" which i cannot deploy in both Server A and Server
B?
Because the Web.config in ServerB will complain on detecting a
validaterequest tag.

So to wrap my problem....Is there any way to include
"validateReques t=false" in web.config, but still allow 1.0 to compile
correctly?

Or the only way is to have seperate web.config for 1.0 and 1.1?
Thanks in advance
Ben
Nov 18 '05 #1
5 1801
> So to wrap my problem....Is there any way to include
"validateReques t=false" in web.config, but still allow 1.0 to compile
correctly?


Ben, I've not tries this, but I believe it will work (although it may
not have the exact effect you're after). You could tweak the
machine.config for 1.1 to include the validateRequest =false. Therefore,
you wouldn't have to fiddle with the Web.config.

Of course the issue here is two-fold:

(1) You must have access to the Web server's machine.config
(2) You will be affecting the default validateRequest setting for ALL
Web sites using ASP.NET 1.1 on the box

But, for your situation, it might be of use. Hope this helps.

--

Scott Mitchell
mi******@4guysf romrolla.com
http://www.4GuysFromRolla.com
http://www.ASPFAQs.com
http://www.ASPMessageboard.com

* When you think ASP, think 4GuysFromRolla. com!
Nov 18 '05 #2
Alternatively, is there any way to get the server running v1.1 to go back
to running v1.0 (I suppose, talk to your administrator) until the server
running v1.0 can be upgraded to v1.1?

Cheers
Ken

"Scott Mitchell [MVP]" <mi******@4guys fromrolla.com> wrote in message
news:Zl******** ***********@new ssvr29.news.pro digy.com...
: > So to wrap my problem....Is there any way to include
: > "validateReques t=false" in web.config, but still allow 1.0 to compile
: > correctly?
:
: Ben, I've not tries this, but I believe it will work (although it may
: not have the exact effect you're after). You could tweak the
: machine.config for 1.1 to include the validateRequest =false. Therefore,
: you wouldn't have to fiddle with the Web.config.
:
: Of course the issue here is two-fold:
:
: (1) You must have access to the Web server's machine.config
: (2) You will be affecting the default validateRequest setting for ALL
: Web sites using ASP.NET 1.1 on the box
:
: But, for your situation, it might be of use. Hope this helps.
:
: --
:
: Scott Mitchell
: mi******@4guysf romrolla.com
: http://www.4GuysFromRolla.com
: http://www.ASPFAQs.com
: http://www.ASPMessageboard.com
:
: * When you think ASP, think 4GuysFromRolla. com!
Nov 18 '05 #3
Hi Scott, Ken,
thanks for the replies.

i think modifying the machine.config is not possible since it may
affect other web app on the production box.

In fact same reason applies to Ken also. I can change the settings in
IIS to make it point to 1.0 again, but this will affect other Web app.

phew...What a change from 1.0 to 1.1!!!!

It is always good to fill in Security holes, but this i feel is a
over-restiction. At least for 1.0 web application, there must be a
better way to easily come thru this change...

Any other suggestions are most welcome.

Thanks again
Ben
"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message news:<On******* ******@tk2msftn gp13.phx.gbl>.. .
Alternatively, is there any way to get the server running v1.1 to go back
to running v1.0 (I suppose, talk to your administrator) until the server
running v1.0 can be upgraded to v1.1?

Cheers
Ken

"Scott Mitchell [MVP]" <mi******@4guys fromrolla.com> wrote in message
news:Zl******** ***********@new ssvr29.news.pro digy.com...
: > So to wrap my problem....Is there any way to include
: > "validateReques t=false" in web.config, but still allow 1.0 to compile
: > correctly?
:
: Ben, I've not tries this, but I believe it will work (although it may
: not have the exact effect you're after). You could tweak the
: machine.config for 1.1 to include the validateRequest =false. Therefore,
: you wouldn't have to fiddle with the Web.config.
:
: Of course the issue here is two-fold:
:
: (1) You must have access to the Web server's machine.config
: (2) You will be affecting the default validateRequest setting for ALL
: Web sites using ASP.NET 1.1 on the box
:
: But, for your situation, it might be of use. Hope this helps.
:
: --
:
: Scott Mitchell
: mi******@4guysf romrolla.com
: http://www.4GuysFromRolla.com
: http://www.ASPFAQs.com
: http://www.ASPMessageboard.com
:
: * When you think ASP, think 4GuysFromRolla. com!

Nov 18 '05 #4
I believe that mappings can be set on a Web Application by Web Application
basis.

In IIS Manager, you will need to goto Web App Properties -> Directory -> App
Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
..aspx) to the appropriate aspnet_isapi.dl l

So, even if you change one web app to use 1.0, the others can still use 1.1
(I think they can - maybe the can't, but you coudl try it).

Cheers
Ken
"Boris" <be********@yah oo.com> wrote in message
news:c0******** *************** ***@posting.goo gle.com...
: Hi Scott, Ken,
: thanks for the replies.
:
: i think modifying the machine.config is not possible since it may
: affect other web app on the production box.
:
: In fact same reason applies to Ken also. I can change the settings in
: IIS to make it point to 1.0 again, but this will affect other Web app.
:
: phew...What a change from 1.0 to 1.1!!!!
:
: It is always good to fill in Security holes, but this i feel is a
: over-restiction. At least for 1.0 web application, there must be a
: better way to easily come thru this change...
:
: Any other suggestions are most welcome.
:
: Thanks again
: Ben
:
:
: "Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:<On******* ******@tk2msftn gp13.phx.gbl>.. .
: > Alternatively, is there any way to get the server running v1.1 to go
back
: > to running v1.0 (I suppose, talk to your administrator) until the server
: > running v1.0 can be upgraded to v1.1?
: >
: > Cheers
: > Ken
: >
: > "Scott Mitchell [MVP]" <mi******@4guys fromrolla.com> wrote in message
: > news:Zl******** ***********@new ssvr29.news.pro digy.com...
: > : > So to wrap my problem....Is there any way to include
: > : > "validateReques t=false" in web.config, but still allow 1.0 to
compile
: > : > correctly?
: > :
: > : Ben, I've not tries this, but I believe it will work (although it may
: > : not have the exact effect you're after). You could tweak the
: > : machine.config for 1.1 to include the validateRequest =false.
Therefore,
: > : you wouldn't have to fiddle with the Web.config.
: > :
: > : Of course the issue here is two-fold:
: > :
: > : (1) You must have access to the Web server's machine.config
: > : (2) You will be affecting the default validateRequest setting for ALL
: > : Web sites using ASP.NET 1.1 on the box
: > :
: > : But, for your situation, it might be of use. Hope this helps.
: > :
: > : --
: > :
: > : Scott Mitchell
: > : mi******@4guysf romrolla.com
: > : http://www.4GuysFromRolla.com
: > : http://www.ASPFAQs.com
: > : http://www.ASPMessageboard.com
: > :
: > : * When you think ASP, think 4GuysFromRolla. com!
Nov 18 '05 #5
I'd recommend installing both versions of the Framework on the server and
then using Denis Bauer's handy ASP.NET Version Switcher utility so that you
can set framework versions on a vroot by vroot basis easily.
http://www.denisbauer.com.

You can also do this via the command line, but Denis' utility is SO much
easier. We use it all the time to handle just these types of situations.

Joe K.

"Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:OT******** ******@tk2msftn gp13.phx.gbl...
I believe that mappings can be set on a Web Application by Web Application
basis.

In IIS Manager, you will need to goto Web App Properties -> Directory -> App Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
.aspx) to the appropriate aspnet_isapi.dl l

So, even if you change one web app to use 1.0, the others can still use 1.1 (I think they can - maybe the can't, but you coudl try it).

Cheers
Ken
"Boris" <be********@yah oo.com> wrote in message
news:c0******** *************** ***@posting.goo gle.com...
: Hi Scott, Ken,
: thanks for the replies.
:
: i think modifying the machine.config is not possible since it may
: affect other web app on the production box.
:
: In fact same reason applies to Ken also. I can change the settings in
: IIS to make it point to 1.0 again, but this will affect other Web app.
:
: phew...What a change from 1.0 to 1.1!!!!
:
: It is always good to fill in Security holes, but this i feel is a
: over-restiction. At least for 1.0 web application, there must be a
: better way to easily come thru this change...
:
: Any other suggestions are most welcome.
:
: Thanks again
: Ben
:
:
: "Ken Schaefer" <ke*******@THIS adOpenStatic.co m> wrote in message
news:<On******* ******@tk2msftn gp13.phx.gbl>.. .
: > Alternatively, is there any way to get the server running v1.1 to go
back
: > to running v1.0 (I suppose, talk to your administrator) until the server : > running v1.0 can be upgraded to v1.1?
: >
: > Cheers
: > Ken
: >
: > "Scott Mitchell [MVP]" <mi******@4guys fromrolla.com> wrote in message
: > news:Zl******** ***********@new ssvr29.news.pro digy.com...
: > : > So to wrap my problem....Is there any way to include
: > : > "validateReques t=false" in web.config, but still allow 1.0 to
compile
: > : > correctly?
: > :
: > : Ben, I've not tries this, but I believe it will work (although it may : > : not have the exact effect you're after). You could tweak the
: > : machine.config for 1.1 to include the validateRequest =false.
Therefore,
: > : you wouldn't have to fiddle with the Web.config.
: > :
: > : Of course the issue here is two-fold:
: > :
: > : (1) You must have access to the Web server's machine.config
: > : (2) You will be affecting the default validateRequest setting for ALL : > : Web sites using ASP.NET 1.1 on the box
: > :
: > : But, for your situation, it might be of use. Hope this helps.
: > :
: > : --
: > :
: > : Scott Mitchell
: > : mi******@4guysf romrolla.com
: > : http://www.4GuysFromRolla.com
: > : http://www.ASPFAQs.com
: > : http://www.ASPMessageboard.com
: > :
: > : * When you think ASP, think 4GuysFromRolla. com!

Nov 18 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
1295
Dangerous inputs in asp.net web forms
by: cesark | last post by:
Hi ! I have important doubts about how to handle the security in asp.net vb.net web forms. Somebody can help me? 1. If you have setting ‘validateRequest=true’ in .net framework1.1, What can do you do to improve the security? Because although you have validations on server side you can enter dangerous characters in a text field, with the exception of telephone numbers or similar.
ASP.NET
5
334
A potentially dangerous querystring ... [ValidateRequest]
by: Boris | last post by:
All, When i use .net FRamework 1.1, for my web application, i get an error saying "A potentially dangerous querystring was detected from the client...." I have read the posts related to this and it seems this is due to some SECURITY FEATURE in 1.1!!! My code used to work in 1.0!!! now when the web server gets upgraded to 1.1, my app. breaks.
ASP.NET
1
5870
Trapping a ' potentially dangerous Request.QueryString value'
by: John Morgan | last post by:
I am attempting to use a try/catch block to trap a querystring which is caught by ValidateRequest="true" in the @page directive A simple example of the blockthat does not work is Try routeID = Request.QueryString("routeID") Catch response.Write("a dangerous query string has been entered") End Try
ASP.NET
1
5413
how to try-catch potentially dangerous Request.Form value exception
by: angus | last post by:
Dear All, how to try-catch "A potentially dangerous Request.Form value was detected from the client (txtUserName="<asdf")." this exception? i've set the debugger in the Page_InIt function, but this page is shown before the Page_init function. i know that i can set validateRequest="false" in my page, but how can i
ASP.NET
6
9536
A potentially dangerous Request.QueryString value was detected from the client
by: Hardy Wang | last post by:
Hi, I put following value in my query string, then I got this error fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw== I am wandering what is wrong with this value? I really cannot understand. -- WWW: http://hardywang.1accesshost.com ICQ: 3359839 yours Hardy
ASP.NET
6
1774
Potentially dangerous script - urgent!
by: STech | last post by:
If data you post back contains the following string on<<any sequence of characters>>= example: on2q3asdf= The page will throw the following exception: A potentially dangerous Request.Form value was detected from the client
ASP.NET
1
2606
Server.URLEncode and potentially dangerous string
by: veenakj | last post by:
Hi Code snippet -------------- strErrMsg = "Could not find a part of the path \"C:\\Temp\\data\\Test.xml\"." } Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg)); ---------------
ASP.NET
4
1806
Dangerous querystring
by: sylvain | last post by:
I create an encrypted string and when this string is pass into a querystring to an ASP.Net page I have an error message that said that this querystring is potentialy dangerous. Here is an example of a querystring to reproduce the problem : ?var=ONmYtVKAnXuZg%3d Do you have any idea why this string is dangerous ?
ASP.NET
3
1432
A potentially dangerous client input value
by: andreister | last post by:
Hi there, I've come across the next problem: angle brackets in values being sent to a server. Because of this stuff HttpRequestValidationException occurs (FW 2.0). It seems that the validateRequest being set to FALSE should help (e.g., http://kb.seekdotnet.com/ViewArticle.aspx?ID=42)... but I need to support FW 1.0 as well as its successors!!!
ASP.NET
0
1656
ASP.NET Framework 2.0 / validateRequest / A potentially dangerous Request
by: manfred | last post by:
I try to switch off the validateRequest value in the Web.Config File on Framework 2.0 - see below. On the Visual Studio 2005 I get the right reaction. But on the WIndows 2003 Server no chance to switch the validateRequest to false! I rebooted the system, I restarted the service, I restarted the application pool - anytime no reaction! Is there an other switch to turn on or off? Thanks for any help, regarding Framework 2.0 <?xml...
ASP.NET
0
8349
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8795
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8576
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
5609
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4143
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4281
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2696
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
1
1906
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
2
1585
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us