A potentially dangerous querystring ... [ValidateRequest]

Discussion in 'ASP .Net Security' started by Boris, Apr 16, 2004.

  1. Boris

    Boris Guest

    All,
    When i use .net FRamework 1.1, for my web application, i get an error
    saying "A potentially dangerous querystring was detected from the
    client...."
    I have read the posts related to this and it seems this is due to some
    SECURITY FEATURE in 1.1!!!

    My code used to work in 1.0!!! now when the web server gets upgraded
    to 1.1, my app. breaks.

    So, If i introduce a validateRequest= false in Web.config, i can
    overcome this error without ANY Code change.

    BUT unfortunately, assume this scenario for me..I have 2 deployment
    servers ServerA [with framework 1.1 installed] and Server B [ for some
    reason has not upgraded to 1.1 as of now.] [which means i must
    continue to support both 1.0 and 1.1 for sometime now].

    So with this change in 1.1, does this mean that i cannot have one
    "common Web.config" which i cannot deploy in both Server A and Server
    B?
    Because the Web.config in ServerB will complain on detecting a
    validaterequest tag.

    So to wrap my problem....Is there any way to include
    "validateRequest=false" in web.config, but still allow 1.0 to compile
    correctly?

    Or the only way is to have seperate web.config for 1.0 and 1.1?


    Thanks in advance
    Ben
    Boris, Apr 16, 2004
    #1
    1. Advertising

  2. > So to wrap my problem....Is there any way to include
    > "validateRequest=false" in web.config, but still allow 1.0 to compile
    > correctly?


    Ben, I've not tries this, but I believe it will work (although it may
    not have the exact effect you're after). You could tweak the
    machine.config for 1.1 to include the validateRequest=false. Therefore,
    you wouldn't have to fiddle with the Web.config.

    Of course the issue here is two-fold:

    (1) You must have access to the Web server's machine.config
    (2) You will be affecting the default validateRequest setting for ALL
    Web sites using ASP.NET 1.1 on the box

    But, for your situation, it might be of use. Hope this helps.

    --

    Scott Mitchell

    http://www.4GuysFromRolla.com
    http://www.ASPFAQs.com
    http://www.ASPMessageboard.com

    * When you think ASP, think 4GuysFromRolla.com!
    Scott Mitchell [MVP], Apr 16, 2004
    #2
    1. Advertising

  3. Boris

    Ken Schaefer Guest

    Alternatively, is there any way to get the server running v1.1 to go back
    to running v1.0 (I suppose, talk to your administrator) until the server
    running v1.0 can be upgraded to v1.1?

    Cheers
    Ken

    "Scott Mitchell [MVP]" <> wrote in message
    news:ZlJfc.37370$...
    : > So to wrap my problem....Is there any way to include
    : > "validateRequest=false" in web.config, but still allow 1.0 to compile
    : > correctly?
    :
    : Ben, I've not tries this, but I believe it will work (although it may
    : not have the exact effect you're after). You could tweak the
    : machine.config for 1.1 to include the validateRequest=false. Therefore,
    : you wouldn't have to fiddle with the Web.config.
    :
    : Of course the issue here is two-fold:
    :
    : (1) You must have access to the Web server's machine.config
    : (2) You will be affecting the default validateRequest setting for ALL
    : Web sites using ASP.NET 1.1 on the box
    :
    : But, for your situation, it might be of use. Hope this helps.
    :
    : --
    :
    : Scott Mitchell
    :
    : http://www.4GuysFromRolla.com
    : http://www.ASPFAQs.com
    : http://www.ASPMessageboard.com
    :
    : * When you think ASP, think 4GuysFromRolla.com!
    Ken Schaefer, Apr 16, 2004
    #3
  4. Boris

    Boris Guest

    Hi Scott, Ken,
    thanks for the replies.

    i think modifying the machine.config is not possible since it may
    affect other web app on the production box.

    In fact same reason applies to Ken also. I can change the settings in
    IIS to make it point to 1.0 again, but this will affect other Web app.

    phew...What a change from 1.0 to 1.1!!!!

    It is always good to fill in Security holes, but this i feel is a
    over-restiction. At least for 1.0 web application, there must be a
    better way to easily come thru this change...

    Any other suggestions are most welcome.

    Thanks again
    Ben


    "Ken Schaefer" <> wrote in message news:<>...
    > Alternatively, is there any way to get the server running v1.1 to go back
    > to running v1.0 (I suppose, talk to your administrator) until the server
    > running v1.0 can be upgraded to v1.1?
    >
    > Cheers
    > Ken
    >
    > "Scott Mitchell [MVP]" <> wrote in message
    > news:ZlJfc.37370$...
    > : > So to wrap my problem....Is there any way to include
    > : > "validateRequest=false" in web.config, but still allow 1.0 to compile
    > : > correctly?
    > :
    > : Ben, I've not tries this, but I believe it will work (although it may
    > : not have the exact effect you're after). You could tweak the
    > : machine.config for 1.1 to include the validateRequest=false. Therefore,
    > : you wouldn't have to fiddle with the Web.config.
    > :
    > : Of course the issue here is two-fold:
    > :
    > : (1) You must have access to the Web server's machine.config
    > : (2) You will be affecting the default validateRequest setting for ALL
    > : Web sites using ASP.NET 1.1 on the box
    > :
    > : But, for your situation, it might be of use. Hope this helps.
    > :
    > : --
    > :
    > : Scott Mitchell
    > :
    > : http://www.4GuysFromRolla.com
    > : http://www.ASPFAQs.com
    > : http://www.ASPMessageboard.com
    > :
    > : * When you think ASP, think 4GuysFromRolla.com!
    Boris, Apr 17, 2004
    #4
  5. Boris

    Ken Schaefer Guest

    I believe that mappings can be set on a Web Application by Web Application
    basis.

    In IIS Manager, you will need to goto Web App Properties -> Directory -> App
    Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
    ..aspx) to the appropriate aspnet_isapi.dll

    So, even if you change one web app to use 1.0, the others can still use 1.1
    (I think they can - maybe the can't, but you coudl try it).

    Cheers
    Ken


    "Boris" <> wrote in message
    news:...
    : Hi Scott, Ken,
    : thanks for the replies.
    :
    : i think modifying the machine.config is not possible since it may
    : affect other web app on the production box.
    :
    : In fact same reason applies to Ken also. I can change the settings in
    : IIS to make it point to 1.0 again, but this will affect other Web app.
    :
    : phew...What a change from 1.0 to 1.1!!!!
    :
    : It is always good to fill in Security holes, but this i feel is a
    : over-restiction. At least for 1.0 web application, there must be a
    : better way to easily come thru this change...
    :
    : Any other suggestions are most welcome.
    :
    : Thanks again
    : Ben
    :
    :
    : "Ken Schaefer" <> wrote in message
    news:<>...
    : > Alternatively, is there any way to get the server running v1.1 to go
    back
    : > to running v1.0 (I suppose, talk to your administrator) until the server
    : > running v1.0 can be upgraded to v1.1?
    : >
    : > Cheers
    : > Ken
    : >
    : > "Scott Mitchell [MVP]" <> wrote in message
    : > news:ZlJfc.37370$...
    : > : > So to wrap my problem....Is there any way to include
    : > : > "validateRequest=false" in web.config, but still allow 1.0 to
    compile
    : > : > correctly?
    : > :
    : > : Ben, I've not tries this, but I believe it will work (although it may
    : > : not have the exact effect you're after). You could tweak the
    : > : machine.config for 1.1 to include the validateRequest=false.
    Therefore,
    : > : you wouldn't have to fiddle with the Web.config.
    : > :
    : > : Of course the issue here is two-fold:
    : > :
    : > : (1) You must have access to the Web server's machine.config
    : > : (2) You will be affecting the default validateRequest setting for ALL
    : > : Web sites using ASP.NET 1.1 on the box
    : > :
    : > : But, for your situation, it might be of use. Hope this helps.
    : > :
    : > : --
    : > :
    : > : Scott Mitchell
    : > :
    : > : http://www.4GuysFromRolla.com
    : > : http://www.ASPFAQs.com
    : > : http://www.ASPMessageboard.com
    : > :
    : > : * When you think ASP, think 4GuysFromRolla.com!
    Ken Schaefer, Apr 17, 2004
    #5
  6. I'd recommend installing both versions of the Framework on the server and
    then using Denis Bauer's handy ASP.NET Version Switcher utility so that you
    can set framework versions on a vroot by vroot basis easily.
    http://www.denisbauer.com.

    You can also do this via the command line, but Denis' utility is SO much
    easier. We use it all the time to handle just these types of situations.

    Joe K.

    "Ken Schaefer" <> wrote in message
    news:...
    > I believe that mappings can be set on a Web Application by Web Application
    > basis.
    >
    > In IIS Manager, you will need to goto Web App Properties -> Directory ->

    App
    > Configuration Button -> Mappings tab. Map the ASP.NET extensions (e.g.
    > .aspx) to the appropriate aspnet_isapi.dll
    >
    > So, even if you change one web app to use 1.0, the others can still use

    1.1
    > (I think they can - maybe the can't, but you coudl try it).
    >
    > Cheers
    > Ken
    >
    >
    > "Boris" <> wrote in message
    > news:...
    > : Hi Scott, Ken,
    > : thanks for the replies.
    > :
    > : i think modifying the machine.config is not possible since it may
    > : affect other web app on the production box.
    > :
    > : In fact same reason applies to Ken also. I can change the settings in
    > : IIS to make it point to 1.0 again, but this will affect other Web app.
    > :
    > : phew...What a change from 1.0 to 1.1!!!!
    > :
    > : It is always good to fill in Security holes, but this i feel is a
    > : over-restiction. At least for 1.0 web application, there must be a
    > : better way to easily come thru this change...
    > :
    > : Any other suggestions are most welcome.
    > :
    > : Thanks again
    > : Ben
    > :
    > :
    > : "Ken Schaefer" <> wrote in message
    > news:<>...
    > : > Alternatively, is there any way to get the server running v1.1 to go
    > back
    > : > to running v1.0 (I suppose, talk to your administrator) until the

    server
    > : > running v1.0 can be upgraded to v1.1?
    > : >
    > : > Cheers
    > : > Ken
    > : >
    > : > "Scott Mitchell [MVP]" <> wrote in message
    > : > news:ZlJfc.37370$...
    > : > : > So to wrap my problem....Is there any way to include
    > : > : > "validateRequest=false" in web.config, but still allow 1.0 to
    > compile
    > : > : > correctly?
    > : > :
    > : > : Ben, I've not tries this, but I believe it will work (although it

    may
    > : > : not have the exact effect you're after). You could tweak the
    > : > : machine.config for 1.1 to include the validateRequest=false.
    > Therefore,
    > : > : you wouldn't have to fiddle with the Web.config.
    > : > :
    > : > : Of course the issue here is two-fold:
    > : > :
    > : > : (1) You must have access to the Web server's machine.config
    > : > : (2) You will be affecting the default validateRequest setting for

    ALL
    > : > : Web sites using ASP.NET 1.1 on the box
    > : > :
    > : > : But, for your situation, it might be of use. Hope this helps.
    > : > :
    > : > : --
    > : > :
    > : > : Scott Mitchell
    > : > :
    > : > : http://www.4GuysFromRolla.com
    > : > : http://www.ASPFAQs.com
    > : > : http://www.ASPMessageboard.com
    > : > :
    > : > : * When you think ASP, think 4GuysFromRolla.com!
    >
    >
    Joe Kaplan \(MVP - ADSI\), Apr 17, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Boris
    Replies:
    5
    Views:
    2,533
    Joe Kaplan \(MVP - ADSI\)
    Apr 17, 2004
  2. John Morgan
    Replies:
    1
    Views:
    2,953
    Oleg Ogurok
    May 27, 2004
  3. Hardy Wang
    Replies:
    7
    Views:
    21,568
    jinusa2007
    Apr 23, 2011
  4. manfred
    Replies:
    1
    Views:
    2,040
    russmack
    Sep 11, 2007
  5. Alex
    Replies:
    2
    Views:
    1,428
Loading...

Share This Page