validateRequest

Dave H wrote:

If put this into my Web.config. Shouldn't this turn off the
ValiateRequest app wide?

<configuratio n>

<system.web>

<pages buffer="true" validateRequest ="false" />

I pass SQL around to pages, and sometimes, this causes the 'Cross Site
Attack' warning. I just want to turn it off comepltely.

I also tried just putting it in the page header, I still ghet the
error. Am I missing something else? I only get it on a new server I
just setup, not any of my others.

Ideas? Thanks, Dave

Ummmm - stop passing SQL around to pages?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

I'm really wondering more, why this one server has this behavior, and others
don't.

"Bob Barrows [MVP]" <re******@NOyah oo.SPAMcom> wrote in message
news:OV******** ********@TK2MSF TNGP09.phx.gbl. ..

Dave H wrote:

If put this into my Web.config. Shouldn't this turn off the
ValiateRequest app wide?

<configuratio n>

<system.web>

<pages buffer="true" validateRequest ="false" />

I pass SQL around to pages, and sometimes, this causes the 'Cross Site
Attack' warning. I just want to turn it off comepltely.

I also tried just putting it in the page header, I still ghet the
error. Am I missing something else? I only get it on a new server I
just setup, not any of my others.

Ideas? Thanks, Dave

Ummmm - stop passing SQL around to pages?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Hi Dave,

Welcome here.
From your description, you're encountering some "Cross Site Attack"
exceptions when you've turned off the pages/@validateReques t setting in
web.config, yes?

As you mentioned that the problem occured sometimes, so this is a randomly
occurs behavior ,yes? If so, I'm wondering whether it is something else
which cause this problem. Have you tried put a simple aspx page with some
entry fields on this and use some SQL injections code to post that page to
see whether it will raise such error? (remain the valiationReques t turn
off..)
Also, is it possible that we isolate the problem to a particular page? If
possible, would you provide some detaild code description on that page so
that we can perform some tests on our side.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Thu, 10 Nov 2005 22:52:17 -0600
| From: "Dave H" <Da***@noemail. nospam>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| References: <yO************ ********@comcas t.com>
<OV************ **@TK2MSFTNGP09 .phx.gbl>
| Subject: Re: validateRequest
| Date: Thu, 10 Nov 2005 20:52:15 -0800
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| Message-ID: <eY************ ********@comcas t.com>
| Lines: 34
| NNTP-Posting-Host: 67.180.218.69
| X-Trace:
sv3-g4cR4RmDza6WKwO L6Lvbyv3bHAhbMv Xwk8HxXHcmVysDe SoDNpPr54iYxnjb 6gptgWAIbn2T
gxG7oh0!O7MKn8S lJCbWOL7RqtNLBM/N0b5lTzkTMqFK/UWgVtDjAHyBsefo 3d7F+G/9BtIvzvbG
YFMxfnUa!fXU4
| X-Complaints-To: ab***@comcast.n et
| X-DMCA-Complaints-To: dm**@comcast.ne t
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!ne wsfeed00.sul.t-online.de!t-onli
ne.de!border2.n ntp.dca.giganew s.com!border1.n ntp.dca.giganew s.com!nntp.giga n
ews.com!local01 .nntp.dca.gigan ews.com!nntp.co mcast.com!news. comcast.com.POS T
ED!not-for-mail
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3572 74
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
|
| I'm really wondering more, why this one server has this behavior, and
others
| don't.
|
| "Bob Barrows [MVP]" <re******@NOyah oo.SPAMcom> wrote in message
| news:OV******** ********@TK2MSF TNGP09.phx.gbl. ..
| > Dave H wrote:
| > > If put this into my Web.config. Shouldn't this turn off the
| > > ValiateRequest app wide?
| > >
| > > <configuratio n>
| > >
| > > <system.web>
| > >
| > > <pages buffer="true" validateRequest ="false" />
| > >
| > > I pass SQL around to pages, and sometimes, this causes the 'Cross Site
| > > Attack' warning. I just want to turn it off comepltely.
| > >
| > > I also tried just putting it in the page header, I still ghet the
| > > error. Am I missing something else? I only get it on a new server I
| > > just setup, not any of my others.
| > >
| > > Ideas? Thanks, Dave
| > Ummmm - stop passing SQL around to pages?
| > --
| > Microsoft MVP -- ASP/ASP.NET
| > Please reply to the newsgroup. The email account listed in my From
| > header is my spam trap, so I don't check it very often. You will get a
| > quicker response by posting to the newsgroup.
| >
| >
|
|
|

Thanks.. here's an example, same page,the one that doesn't work, it was
encoded using HTMLEncode (I tried that, same result)

In web.config

<?xml version="1.0" encoding="utf-8" ?>
<configuratio n>
<system.web>
<pages buffer="true" validateRequest ="false" />

In Page Directives

Page Language="vb" AutoEventWireup ="false" ValidateRequest ="false"
Does not work:

http://mywebserver/reporting/Pages/ReportsDisplay. Aspx?Colname=Ad min&RunSQL=Sele ct%20T2.Userid, %20T2.UserName, %20Min(T1.LogDa te)%20As%20Firs tLogin,%20Max(T 1.LogDate)%20As %20LastLogin,%2 0Count(*)%20As% 20LoginCount%20 from%20SystemCo ntrol..UserLogi ns%20T1%20Join% 20SystemControl ..Users%20T2%20 On%20T2.UserID% 20=%20T1.UserID %20Where%20T1.L ogDate%20>'11/16/2005'%20Group%2 0By%20T2.UserId ,%20T2.UserName &RunXSL=BuildXS LGeneric&ShowSe condLink=Y
Does Work:

http://mywebserver/reporting/Pages/R...owSecondLink=Y
--
Dave
"Steven Cheng[MSFT]" wrote:

Hi Dave,

Welcome here.
From your description, you're encountering some "Cross Site Attack"
exceptions when you've turned off the pages/@validateReques t setting in
web.config, yes?

As you mentioned that the problem occured sometimes, so this is a randomly
occurs behavior ,yes? If so, I'm wondering whether it is something else
which cause this problem. Have you tried put a simple aspx page with some
entry fields on this and use some SQL injections code to post that page to
see whether it will raise such error? (remain the valiationReques t turn
off..)
Also, is it possible that we isolate the problem to a particular page? If
possible, would you provide some detaild code description on that page so
that we can perform some tests on our side.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Thu, 10 Nov 2005 22:52:17 -0600
| From: "Dave H" <Da***@noemail. nospam>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| References: <yO************ ********@comcas t.com>
<OV************ **@TK2MSFTNGP09 .phx.gbl>
| Subject: Re: validateRequest
| Date: Thu, 10 Nov 2005 20:52:15 -0800
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| Message-ID: <eY************ ********@comcas t.com>
| Lines: 34
| NNTP-Posting-Host: 67.180.218.69
| X-Trace:
sv3-g4cR4RmDza6WKwO L6Lvbyv3bHAhbMv Xwk8HxXHcmVysDe SoDNpPr54iYxnjb 6gptgWAIbn2T
gxG7oh0!O7MKn8S lJCbWOL7RqtNLBM/N0b5lTzkTMqFK/UWgVtDjAHyBsefo 3d7F+G/9BtIvzvbG
YFMxfnUa!fXU4
| X-Complaints-To: ab***@comcast.n et
| X-DMCA-Complaints-To: dm**@comcast.ne t
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.p hx.gbl!TK2MSFTN GP08.phx.gbl!ne wsfeed00.sul.t-online.de!t-onli
ne.de!border2.n ntp.dca.giganew s.com!border1.n ntp.dca.giganew s.com!nntp.giga n
ews.com!local01 .nntp.dca.gigan ews.com!nntp.co mcast.com!news. comcast.com.POS T
ED!not-for-mail
| Xref: TK2MSFTNGXA02.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:3572 74
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
|
| I'm really wondering more, why this one server has this behavior, and
others
| don't.
|
| "Bob Barrows [MVP]" <re******@NOyah oo.SPAMcom> wrote in message
| news:OV******** ********@TK2MSF TNGP09.phx.gbl. ..
| > Dave H wrote:
| > > If put this into my Web.config. Shouldn't this turn off the
| > > ValiateRequest app wide?
| > >
| > > <configuratio n>
| > >
| > > <system.web>
| > >
| > > <pages buffer="true" validateRequest ="false" />
| > >
| > > I pass SQL around to pages, and sometimes, this causes the 'Cross Site
| > > Attack' warning. I just want to turn it off comepltely.
| > >
| > > I also tried just putting it in the page header, I still ghet the
| > > error. Am I missing something else? I only get it on a new server I
| > > just setup, not any of my others.
| > >
| > > Ideas? Thanks, Dave
| > Ummmm - stop passing SQL around to pages?
| > --
| > Microsoft MVP -- ASP/ASP.NET
| > Please reply to the newsgroup. The email account listed in my From
| > header is my spam trap, so I don't check it very often. You will get a
| > quicker response by posting to the newsgroup.
| >
| >
|
|
|