A potentially dangerous querystring ... [ValidateRequest]

Boris

All,
When i use .net FRamework 1.1, for my web application, i get an error
saying "A potentially dangerous querystring was detected from the
client...."
I have read the posts related to this and it seems this is due to some
SECURITY FEATURE in 1.1!!!

My code used to work in 1.0!!! now when the web server gets upgraded
to 1.1, my app. breaks.

So, If i introduce a validateRequest= false in Web.config, i can
overcome this error without ANY Code change.

BUT unfortunately, assume this scenario for me..I have 2 deployment
servers ServerA [with framework 1.1 installed] and Server B [ for some
reason has not upgraded to 1.1 as of now.] [which means i must
continue to support both 1.0 and 1.1 for sometime now].

So with this change in 1.1, does this mean that i cannot have one
"common Web.config" which i cannot deploy in both Server A and Server
B?
Because the Web.config in ServerB will complain on detecting a
validaterequest tag.

So to wrap my problem....Is there any way to include
"validateRequest=false" in web.config, but still allow 1.0 to compile
correctly?

Or the only way is to have seperate web.config for 1.0 and 1.1?
Thanks in advance
Ben

Nov 18 '05 #1

Subscribe Post Reply

1778

Scott Mitchell [MVP]

> So to wrap my problem....Is there any way to include

"validateRequest=false" in web.config, but still allow 1.0 to compile
correctly?

Ben, I've not tries this, but I believe it will work (although it may
not have the exact effect you're after). You could tweak the
machine.config for 1.1 to include the validateRequest=false. Therefore,
you wouldn't have to fiddle with the Web.config.

Of course the issue here is two-fold:

(1) You must have access to the Web server's machine.config
(2) You will be affecting the default validateRequest setting for ALL
Web sites using ASP.NET 1.1 on the box

But, for your situation, it might be of use. Hope this helps.

--

Scott Mitchell
mi******@4guysfromrolla.com
http://www.4GuysFromRolla.com
http://www.ASPFAQs.com
http://www.ASPMessageboard.com

* When you think ASP, think 4GuysFromRolla.com!

Nov 18 '05 #2

Ken Schaefer

Alternatively, is there any way to get the server running v1.1 to go back
to running v1.0 (I suppose, talk to your administrator) until the server
running v1.0 can be upgraded to v1.1?

Cheers
Ken

"Scott Mitchell [MVP]" <mi******@4guysfromrolla.com> wrote in message
news:Zl*******************@newssvr29.news.prodigy. com...
: > So to wrap my problem....Is there any way to include
: > "validateRequest=false" in web.config, but still allow 1.0 to compile
: > correctly?
:
: Ben, I've not tries this, but I believe it will work (although it may
: not have the exact effect you're after). You could tweak the
: machine.config for 1.1 to include the validateRequest=false. Therefore,
: you wouldn't have to fiddle with the Web.config.
:
: Of course the issue here is two-fold:
:
: (1) You must have access to the Web server's machine.config
: (2) You will be affecting the default validateRequest setting for ALL
: Web sites using ASP.NET 1.1 on the box
:
: But, for your situation, it might be of use. Hope this helps.
:
: --
:
: Scott Mitchell
: mi******@4guysfromrolla.com
: http://www.4GuysFromRolla.com
: http://www.ASPFAQs.com
: http://www.ASPMessageboard.com
:
: * When you think ASP, think 4GuysFromRolla.com!

Nov 18 '05 #3

Boris

Hi Scott, Ken,
thanks for the replies.

i think modifying the machine.config is not possible since it may
affect other web app on the production box.

In fact same reason applies to Ken also. I can change the settings in
IIS to make it point to 1.0 again, but this will affect other Web app.

phew...What a change from 1.0 to 1.1!!!!

It is always good to fill in Security holes, but this i feel is a
over-restiction. At least for 1.0 web application, there must be a
better way to easily come thru this change...

Any other suggestions are most welcome.

Thanks again
Ben
"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message news:<On*************@tk2msftngp13.phx.gbl>...

Alternatively, is there any way to get the server running v1.1 to go back
to running v1.0 (I suppose, talk to your administrator) until the server
running v1.0 can be upgraded to v1.1?

Cheers
Ken

"Scott Mitchell [MVP]" <mi******@4guysfromrolla.com> wrote in message
news:Zl*******************@newssvr29.news.prodigy. com...
: > So to wrap my problem....Is there any way to include
: > "validateRequest=false" in web.config, but still allow 1.0 to compile
: > correctly?
:
: Ben, I've not tries this, but I believe it will work (although it may
: not have the exact effect you're after). You could tweak the
: machine.config for 1.1 to include the validateRequest=false. Therefore,
: you wouldn't have to fiddle with the Web.config.
:
: Of course the issue here is two-fold:
:
: (1) You must have access to the Web server's machine.config
: (2) You will be affecting the default validateRequest setting for ALL
: Web sites using ASP.NET 1.1 on the box
:
: But, for your situation, it might be of use. Hope this helps.
:
: --
:
: Scott Mitchell
: mi******@4guysfromrolla.com
: http://www.4GuysFromRolla.com
: http://www.ASPFAQs.com
: http://www.ASPMessageboard.com
:
: * When you think ASP, think 4GuysFromRolla.com!

Nov 18 '05 #4

Ken Schaefer

I believe that mappings can be set on a Web Application by Web Application
basis.

In IIS Manager, you will need to goto Web App Properties -> Directory -> App
Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
..aspx) to the appropriate aspnet_isapi.dll

So, even if you change one web app to use 1.0, the others can still use 1.1
(I think they can - maybe the can't, but you coudl try it).

Cheers
Ken
"Boris" <be********@yahoo.com> wrote in message
news:c0**************************@posting.google.c om...
: Hi Scott, Ken,
: thanks for the replies.
:
: i think modifying the machine.config is not possible since it may
: affect other web app on the production box.
:
: In fact same reason applies to Ken also. I can change the settings in
: IIS to make it point to 1.0 again, but this will affect other Web app.
:
: phew...What a change from 1.0 to 1.1!!!!
:
: It is always good to fill in Security holes, but this i feel is a
: over-restiction. At least for 1.0 web application, there must be a
: better way to easily come thru this change...
:
: Any other suggestions are most welcome.
:
: Thanks again
: Ben
:
:
: "Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:<On*************@tk2msftngp13.phx.gbl>...
: > Alternatively, is there any way to get the server running v1.1 to go
back
: > to running v1.0 (I suppose, talk to your administrator) until the server
: > running v1.0 can be upgraded to v1.1?
: >
: > Cheers
: > Ken
: >
: > "Scott Mitchell [MVP]" <mi******@4guysfromrolla.com> wrote in message
: > news:Zl*******************@newssvr29.news.prodigy. com...
: > : > So to wrap my problem....Is there any way to include
: > : > "validateRequest=false" in web.config, but still allow 1.0 to
compile
: > : > correctly?
: > :
: > : Ben, I've not tries this, but I believe it will work (although it may
: > : not have the exact effect you're after). You could tweak the
: > : machine.config for 1.1 to include the validateRequest=false.
Therefore,
: > : you wouldn't have to fiddle with the Web.config.
: > :
: > : Of course the issue here is two-fold:
: > :
: > : (1) You must have access to the Web server's machine.config
: > : (2) You will be affecting the default validateRequest setting for ALL
: > : Web sites using ASP.NET 1.1 on the box
: > :
: > : But, for your situation, it might be of use. Hope this helps.
: > :
: > : --
: > :
: > : Scott Mitchell
: > : mi******@4guysfromrolla.com
: > : http://www.4GuysFromRolla.com
: > : http://www.ASPFAQs.com
: > : http://www.ASPMessageboard.com
: > :
: > : * When you think ASP, think 4GuysFromRolla.com!

Nov 18 '05 #5

Joe Kaplan \(MVP - ADSI\)

I'd recommend installing both versions of the Framework on the server and
then using Denis Bauer's handy ASP.NET Version Switcher utility so that you
can set framework versions on a vroot by vroot basis easily.
http://www.denisbauer.com.

You can also do this via the command line, but Denis' utility is SO much
easier. We use it all the time to handle just these types of situations.

Joe K.

"Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:OT**************@tk2msftngp13.phx.gbl...

I believe that mappings can be set on a Web Application by Web Application
basis.

In IIS Manager, you will need to goto Web App Properties -> Directory -> App Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
.aspx) to the appropriate aspnet_isapi.dll

So, even if you change one web app to use 1.0, the others can still use 1.1 (I think they can - maybe the can't, but you coudl try it).

Cheers
Ken
"Boris" <be********@yahoo.com> wrote in message
news:c0**************************@posting.google.c om...
: Hi Scott, Ken,
: thanks for the replies.
:
: i think modifying the machine.config is not possible since it may
: affect other web app on the production box.
:
: In fact same reason applies to Ken also. I can change the settings in
: IIS to make it point to 1.0 again, but this will affect other Web app.
:
: phew...What a change from 1.0 to 1.1!!!!
:
: It is always good to fill in Security holes, but this i feel is a
: over-restiction. At least for 1.0 web application, there must be a
: better way to easily come thru this change...
:
: Any other suggestions are most welcome.
:
: Thanks again
: Ben
:
:
: "Ken Schaefer" <ke*******@THISadOpenStatic.com> wrote in message
news:<On*************@tk2msftngp13.phx.gbl>...
: > Alternatively, is there any way to get the server running v1.1 to go
back
: > to running v1.0 (I suppose, talk to your administrator) until the server : > running v1.0 can be upgraded to v1.1?
: >
: > Cheers
: > Ken
: >
: > "Scott Mitchell [MVP]" <mi******@4guysfromrolla.com> wrote in message
: > news:Zl*******************@newssvr29.news.prodigy. com...
: > : > So to wrap my problem....Is there any way to include
: > : > "validateRequest=false" in web.config, but still allow 1.0 to
compile
: > : > correctly?
: > :
: > : Ben, I've not tries this, but I believe it will work (although it may : > : not have the exact effect you're after). You could tweak the
: > : machine.config for 1.1 to include the validateRequest=false.
Therefore,
: > : you wouldn't have to fiddle with the Web.config.
: > :
: > : Of course the issue here is two-fold:
: > :
: > : (1) You must have access to the Web server's machine.config
: > : (2) You will be affecting the default validateRequest setting for ALL : > : Web sites using ASP.NET 1.1 on the box
: > :
: > : But, for your situation, it might be of use. Hope this helps.
: > :
: > : --
: > :
: > : Scott Mitchell
: > : mi******@4guysfromrolla.com
: > : http://www.4GuysFromRolla.com
: > : http://www.ASPFAQs.com
: > : http://www.ASPMessageboard.com
: > :
: > : * When you think ASP, think 4GuysFromRolla.com!

Nov 18 '05 #6

Similar topics

Dangerous inputs in asp.net web forms

by: cesark | last post by:

Hi ! I have important doubts about how to handle the security in asp.net vb.net web forms. Somebody can help me? 1. If you have setting ‘validateRequest=true’ in .net framework1.1, What can...

ASP.NET

A potentially dangerous querystring ... [ValidateRequest]

by: Boris | last post by:

All, When i use .net FRamework 1.1, for my web application, i get an error saying "A potentially dangerous querystring was detected from the client...." I have read the posts related to this and...

ASP.NET

Trapping a ' potentially dangerous Request.QueryString value'

by: John Morgan | last post by:

I am attempting to use a try/catch block to trap a querystring which is caught by ValidateRequest="true" in the @page directive A simple example of the blockthat does not work is Try...

ASP.NET

how to try-catch potentially dangerous Request.Form value exception

by: angus | last post by:

Dear All, how to try-catch "A potentially dangerous Request.Form value was detected from the client (txtUserName="<asdf")." this exception? i've set the debugger in the Page_InIt function,...

ASP.NET

A potentially dangerous Request.QueryString value was detected from the client

by: Hardy Wang | last post by:

Hi, I put following value in my query string, then I got this error fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw== I...

ASP.NET

Potentially dangerous script - urgent!

by: STech | last post by:

If data you post back contains the following string on<<any sequence of characters>>= example: on2q3asdf= The page will throw the following exception: A potentially dangerous Request.Form...

ASP.NET

Server.URLEncode and potentially dangerous string

by: veenakj | last post by:

Hi Code snippet -------------- strErrMsg = "Could not find a part of the path \"C:\\Temp\\data\\Test.xml\"." } Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));...

ASP.NET

Dangerous querystring

by: sylvain | last post by:

I create an encrypted string and when this string is pass into a querystring to an ASP.Net page I have an error message that said that this querystring is potentialy dangerous. Here is an...

ASP.NET

A potentially dangerous client input value

by: andreister | last post by:

Hi there, I've come across the next problem: angle brackets in values being sent to a server. Because of this stuff HttpRequestValidationException occurs (FW 2.0). It seems that the...

ASP.NET

ASP.NET Framework 2.0 / validateRequest / A potentially dangerous Request

by: manfred | last post by:

I try to switch off the validateRequest value in the Web.Config File on Framework 2.0 - see below. On the Visual Studio 2005 I get the right reaction. But on the WIndows 2003 Server no chance to...

ASP.NET

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...

Online Marketing

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

Windows Server

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

General