ASP.NET keeps forcing us to restart IIS

Discussion in 'ASP .Net' started by David Thielen, Jun 26, 2008.

  1. Hi;

    We keep having to restart IIS after ASP.NET kills it. Below is what we
    have in the event log. Any idea what the problem is?

    thanks - dave

    Event code: 3003
    Event message: A validation error has occurred.
    Event time: 6/23/2008 9:07:24 AM
    Event time (UTC): 6/23/2008 3:07:24 PM
    Event ID: 2f03e4f296b84e55883e2451ad8be3bd
    Event sequence: 28
    Event occurrence: 1
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/134438206/Root-4-128587031812871768
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Inetpub\wwwroot\store\
    Machine name: SIMBA

    Process information:
    Process ID: 2380
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:
    Exception type: HttpRequestValidationException
    Exception message: A potentially dangerous Request.Form value was
    detected from the client
    (ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
    http://effe...").

    Request information:
    Request URL: http://store.windward.net/register.aspx
    Request path: /register.aspx
    User host address: 84.16.224.91
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE

    Thread information:
    Thread ID: 1
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    String valueName, String collectionName)
    at
    System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    nvc, String collectionName)
    at System.Web.HttpRequest.get_Form()
    at System.Web.HttpRequest.get_HasForm()
    at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    dontReturnNull)
    at System.Web.UI.Page.DeterminePostBackMode()
    at System.Web.UI.Page.ProcessRequestMain(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    context)
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at ASP.register_aspx.ProcessRequest(HttpContext context) in
    c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
    at
    System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    Boolean& completedSynchronously)


    Custom event details:

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    _________________________________________________________
    Error: 2

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 6/22/2008 3:55:32 AM
    Event time (UTC): 6/22/2008 9:55:32 AM
    Event ID: 3ed9343f80c14d97a8000495dec6bd87
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/1/Root/vote-10-128586021323611738
    Trust level:
    Application Virtual Path: /vote
    Application Path: c:\inetpub\wwwroot\vote\
    Machine name: SIMBA

    Process information:
    Process ID: 2764
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:
    Exception type: HttpException
    Exception message: Server cannot access application directory
    'c:\inetpub\wwwroot\vote\'. The directory does not exist or is not
    accessible because of security settings.

    Request information:
    Request URL: http://simba.windward.net/vote/register.aspx
    Request path: /vote/register.aspx
    User host address: 65.55.209.5
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE

    Thread information:
    Thread ID: 7
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace: at
    System.Web.HttpRuntime.EnsureAccessToApplicationDirectory()
    at System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
    hostingFlags)

    ----------------------------------------------------
    Error 3:

    Event code: 3003
    Event message: A validation error has occurred.
    Event time: 6/22/2008 11:42:27 AM
    Event time (UTC): 6/22/2008 5:42:27 PM
    Event ID: 9b7d368e50d7465fa0192612aa200f34
    Event sequence: 55
    Event occurrence: 2
    Event detail code: 0

    Application information:
    Application domain: /LM/W3SVC/134438206/Root-5-128585480464695927
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Inetpub\wwwroot\store\
    Machine name: SIMBA

    Process information:
    Process ID: 2764
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:
    Exception type: HttpRequestValidationException
    Exception message: A potentially dangerous Request.Form value was
    detected from the client
    (ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
    http://psil...").

    Request information:
    Request URL: http://store.windward.net/register.aspx
    Request path: /register.aspx
    User host address: 84.16.224.91
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE

    Thread information:
    Thread ID: 1
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    String valueName, String collectionName)
    at
    System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    nvc, String collectionName)
    at System.Web.HttpRequest.get_Form()
    at System.Web.HttpRequest.get_HasForm()
    at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    dontReturnNull)
    at System.Web.UI.Page.DeterminePostBackMode()
    at System.Web.UI.Page.ProcessRequestMain(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    context)
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at ASP.register_aspx.ProcessRequest(HttpContext context) in
    c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
    at
    System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    Boolean& completedSynchronously)


    Custom event details:

    For more information, see Help and Support Center at

    ---------------------------------------
    Error 4:

    Event code: 3003
    Event message: A validation error has occurred.
    Event time: 6/22/2008 12:13:47 PM
    Event time (UTC): 6/22/2008 6:13:47 PM
    Event ID: 67a6806ac07a46d28b25026b09d679ee
    Event sequence: 477
    Event occurrence: 2
    Event detail code: 0

    Application information:
    Application domain:
    /LM/W3SVC/1059338337/Root/apps-2-128585473525179216
    Trust level: Full
    Application Virtual Path: /apps
    Application Path: C:\Inetpub\wwwroot\windwardreports\apps\
    Machine name: SIMBA

    Process information:
    Process ID: 2764
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:
    Exception type: HttpRequestValidationException
    Exception message: A potentially dangerous Request.Form value was
    detected from the client
    (ctl00$ContentPlaceHolder1$wizConsult$cbNewReleases="...r=215628
    <a href="http://foru...").

    Request information:
    Request URL: http://www.windwardreports.com/apps/consult.aspx
    Request path: /apps/consult.aspx
    User host address: 12.150.97.253
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE

    Thread information:
    Thread ID: 13
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    String valueName, String collectionName)
    at
    System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    nvc, String collectionName)
    at System.Web.HttpRequest.get_Form()
    at System.Web.HttpRequest.get_HasForm()
    at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    dontReturnNull)
    at System.Web.UI.Page.DeterminePostBackMode()
    at System.Web.UI.Page.ProcessRequestMain(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest(Boolean
    includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    at System.Web.UI.Page.ProcessRequest()
    at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    context)
    at System.Web.UI.Page.ProcessRequest(HttpContext context)
    at ASP.consult_aspx.ProcessRequest(HttpContext context) in
    c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    Files\apps\8ac7d19f\a7c0441c\App_Web_yaqibenw.14.cs:line 0
    at
    System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    Boolean& completedSynchronously)


    Custom event details:

    For more information, see Help and Support Center at

    ------------------------------------------
    Error: 5

    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 6/22/2008 4:40:46 PM
    Event time (UTC): 6/22/2008 10:40:46 PM
    Event ID: a4d63ab5eb104510b3096559d9a27f53
    Event sequence: 27
    Event occurrence: 2
    Event detail code: 0

    Application information:
    Application domain:
    /LM/W3SVC/1059338337/Root/vote-6-128585510226679682
    Trust level: Full
    Application Virtual Path: /vote
    Application Path: C:\Inetpub\wwwroot\windwardreports\vote\
    Machine name: SIMBA

    Process information:
    Process ID: 2764
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:
    Exception type: NullReferenceException
    Exception message: Object reference not set to an instance of an
    object.

    Request information:
    Request URL: http://www.windwardreports.com/vote/captcha.aspx
    Request path: /vote/captcha.aspx
    User host address: 65.55.235.201
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE

    Thread information:
    Thread ID: 1
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace: at JpegImage.ProcessRequest(HttpContext context)
    in c:\Inetpub\wwwroot\windwardreports\vote\App_Code\JpegImage.cs:line
    32
    at
    System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    Boolean& completedSynchronously)


    Custom event details:

    For more information, see Help and Support Center at

    --------------------------------------
    Error: 6

    Windows cannot unload your classes registry file - it is still in use
    by other applications or services. The file will be unloaded when it
    is no longer in use.



    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 26, 2008
    #1
    1. Advertising

  2. David Thielen

    bruce barker Guest

    tell you users not to type a "<" into any inputbox. you could add a regexp
    validator to catch it client side. if you want to support entry of "<",
    coded your site to prevent injection attacks, then you can turn off request
    validation.

    -- bruce (sqlwork.com)


    "David Thielen" wrote:

    > Hi;
    >
    > We keep having to restart IIS after ASP.NET kills it. Below is what we
    > have in the event log. Any idea what the problem is?
    >
    > thanks - dave
    >
    > Event code: 3003
    > Event message: A validation error has occurred.
    > Event time: 6/23/2008 9:07:24 AM
    > Event time (UTC): 6/23/2008 3:07:24 PM
    > Event ID: 2f03e4f296b84e55883e2451ad8be3bd
    > Event sequence: 28
    > Event occurrence: 1
    > Event detail code: 0
    >
    > Application information:
    > Application domain: /LM/W3SVC/134438206/Root-4-128587031812871768
    > Trust level: Full
    > Application Virtual Path: /
    > Application Path: C:\Inetpub\wwwroot\store\
    > Machine name: SIMBA
    >
    > Process information:
    > Process ID: 2380
    > Process name: w3wp.exe
    > Account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Exception information:
    > Exception type: HttpRequestValidationException
    > Exception message: A potentially dangerous Request.Form value was
    > detected from the client
    > (ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
    > http://effe...").
    >
    > Request information:
    > Request URL: http://store.windward.net/register.aspx
    > Request path: /register.aspx
    > User host address: 84.16.224.91
    > User:
    > Is authenticated: False
    > Authentication Type:
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Thread information:
    > Thread ID: 1
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    > Is impersonating: False
    > Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    > String valueName, String collectionName)
    > at
    > System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    > nvc, String collectionName)
    > at System.Web.HttpRequest.get_Form()
    > at System.Web.HttpRequest.get_HasForm()
    > at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    > dontReturnNull)
    > at System.Web.UI.Page.DeterminePostBackMode()
    > at System.Web.UI.Page.ProcessRequestMain(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest()
    > at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    > context)
    > at System.Web.UI.Page.ProcessRequest(HttpContext context)
    > at ASP.register_aspx.ProcessRequest(HttpContext context) in
    > c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    > Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
    > at
    > System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    > at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    > Boolean& completedSynchronously)
    >
    >
    > Custom event details:
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > _________________________________________________________
    > Error: 2
    >
    > Event code: 3005
    > Event message: An unhandled exception has occurred.
    > Event time: 6/22/2008 3:55:32 AM
    > Event time (UTC): 6/22/2008 9:55:32 AM
    > Event ID: 3ed9343f80c14d97a8000495dec6bd87
    > Event sequence: 1
    > Event occurrence: 1
    > Event detail code: 0
    >
    > Application information:
    > Application domain: /LM/W3SVC/1/Root/vote-10-128586021323611738
    > Trust level:
    > Application Virtual Path: /vote
    > Application Path: c:\inetpub\wwwroot\vote\
    > Machine name: SIMBA
    >
    > Process information:
    > Process ID: 2764
    > Process name: w3wp.exe
    > Account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Exception information:
    > Exception type: HttpException
    > Exception message: Server cannot access application directory
    > 'c:\inetpub\wwwroot\vote\'. The directory does not exist or is not
    > accessible because of security settings.
    >
    > Request information:
    > Request URL: http://simba.windward.net/vote/register.aspx
    > Request path: /vote/register.aspx
    > User host address: 65.55.209.5
    > User:
    > Is authenticated: False
    > Authentication Type:
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Thread information:
    > Thread ID: 7
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    > Is impersonating: False
    > Stack trace: at
    > System.Web.HttpRuntime.EnsureAccessToApplicationDirectory()
    > at System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
    > hostingFlags)
    >
    > ----------------------------------------------------
    > Error 3:
    >
    > Event code: 3003
    > Event message: A validation error has occurred.
    > Event time: 6/22/2008 11:42:27 AM
    > Event time (UTC): 6/22/2008 5:42:27 PM
    > Event ID: 9b7d368e50d7465fa0192612aa200f34
    > Event sequence: 55
    > Event occurrence: 2
    > Event detail code: 0
    >
    > Application information:
    > Application domain: /LM/W3SVC/134438206/Root-5-128585480464695927
    > Trust level: Full
    > Application Virtual Path: /
    > Application Path: C:\Inetpub\wwwroot\store\
    > Machine name: SIMBA
    >
    > Process information:
    > Process ID: 2764
    > Process name: w3wp.exe
    > Account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Exception information:
    > Exception type: HttpRequestValidationException
    > Exception message: A potentially dangerous Request.Form value was
    > detected from the client
    > (ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
    > http://psil...").
    >
    > Request information:
    > Request URL: http://store.windward.net/register.aspx
    > Request path: /register.aspx
    > User host address: 84.16.224.91
    > User:
    > Is authenticated: False
    > Authentication Type:
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Thread information:
    > Thread ID: 1
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    > Is impersonating: False
    > Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    > String valueName, String collectionName)
    > at
    > System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    > nvc, String collectionName)
    > at System.Web.HttpRequest.get_Form()
    > at System.Web.HttpRequest.get_HasForm()
    > at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    > dontReturnNull)
    > at System.Web.UI.Page.DeterminePostBackMode()
    > at System.Web.UI.Page.ProcessRequestMain(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest()
    > at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    > context)
    > at System.Web.UI.Page.ProcessRequest(HttpContext context)
    > at ASP.register_aspx.ProcessRequest(HttpContext context) in
    > c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    > Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
    > at
    > System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    > at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    > Boolean& completedSynchronously)
    >
    >
    > Custom event details:
    >
    > For more information, see Help and Support Center at
    >
    > ---------------------------------------
    > Error 4:
    >
    > Event code: 3003
    > Event message: A validation error has occurred.
    > Event time: 6/22/2008 12:13:47 PM
    > Event time (UTC): 6/22/2008 6:13:47 PM
    > Event ID: 67a6806ac07a46d28b25026b09d679ee
    > Event sequence: 477
    > Event occurrence: 2
    > Event detail code: 0
    >
    > Application information:
    > Application domain:
    > /LM/W3SVC/1059338337/Root/apps-2-128585473525179216
    > Trust level: Full
    > Application Virtual Path: /apps
    > Application Path: C:\Inetpub\wwwroot\windwardreports\apps\
    > Machine name: SIMBA
    >
    > Process information:
    > Process ID: 2764
    > Process name: w3wp.exe
    > Account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Exception information:
    > Exception type: HttpRequestValidationException
    > Exception message: A potentially dangerous Request.Form value was
    > detected from the client
    > (ctl00$ContentPlaceHolder1$wizConsult$cbNewReleases="...r=215628
    > <a href="http://foru...").
    >
    > Request information:
    > Request URL: http://www.windwardreports.com/apps/consult.aspx
    > Request path: /apps/consult.aspx
    > User host address: 12.150.97.253
    > User:
    > Is authenticated: False
    > Authentication Type:
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    >
    > Thread information:
    > Thread ID: 13
    > Thread account name: NT AUTHORITY\NETWORK SERVICE
    > Is impersonating: False
    > Stack trace: at System.Web.HttpRequest.ValidateString(String s,
    > String valueName, String collectionName)
    > at
    > System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
    > nvc, String collectionName)
    > at System.Web.HttpRequest.get_Form()
    > at System.Web.HttpRequest.get_HasForm()
    > at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
    > dontReturnNull)
    > at System.Web.UI.Page.DeterminePostBackMode()
    > at System.Web.UI.Page.ProcessRequestMain(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest(Boolean
    > includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    > at System.Web.UI.Page.ProcessRequest()
    > at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
    > context)
    > at System.Web.UI.Page.ProcessRequest(HttpContext context)
    > at ASP.consult_aspx.ProcessRequest(HttpContext context) in
    > c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
    > Files\apps\8ac7d19f\a7c0441c\App_Web_yaqibenw.14.cs:line 0
    > at
    > System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
    > at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
    > Boolean& completedSynchronously)
    >
    >
    > Custom event details:
    >
    > For more information, see Help and Support Center at
    >
    > ------------------------------------------
    > Error: 5
    >
    > Event code: 3005
    > Event message: An unhandled exception has occurred.
    > Event time: 6/22/2008 4:40:46 PM
    > Event time (UTC): 6/22/2008 10:40:46 PM
    > Event ID: a4d63ab5eb104510b3096559d9a27f53
    > Event sequence: 27
    > Event occurrence: 2
    > Event detail code: 0
    >
    > Application information:
    > Application domain:
    > /LM/W3SVC/1059338337/Root/vote-6-128585510226679682
    > Trust level: Full
    > Application Virtual Path: /vote
    > Application Path: C:\Inetpub\wwwroot\windwardreports\vote\
    > Machine name: SIMBA
    >
    > Process information:
     
    bruce barker, Jun 26, 2008
    #2
    1. Advertising

  3. I'm fine with not allowing a '<' in the input box. How do I set it to
    handle this without taking down my site? I thought the ASP.NET
    controls were designed to handle this.

    thanks - dave


    On Thu, 26 Jun 2008 13:28:00 -0700, bruce barker
    <> wrote:

    >tell you users not to type a "<" into any inputbox. you could add a regexp
    >validator to catch it client side. if you want to support entry of "<",
    >coded your site to prevent injection attacks, then you can turn off request
    >validation.
    >
    >-- bruce (sqlwork.com)



    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 26, 2008
    #3
  4. David Thielen

    bruce barker Guest

    the point is the codebehind (your code) may not handle injection values
    correctly, so the request processor throws an error. as I wrote, just
    add a regex validation control to text boxes

    -- bruce (sqlwork.com)

    David Thielen wrote:
    > I'm fine with not allowing a '<' in the input box. How do I set it to
    > handle this without taking down my site? I thought the ASP.NET
    > controls were designed to handle this.
    >
    > thanks - dave
    >
    >
    > On Thu, 26 Jun 2008 13:28:00 -0700, bruce barker
    > <> wrote:
    >
    >> tell you users not to type a "<" into any inputbox. you could add a regexp
    >> validator to catch it client side. if you want to support entry of "<",
    >> coded your site to prevent injection attacks, then you can turn off request
    >> validation.
    >>
    >> -- bruce (sqlwork.com)

    >
    >
    > david@
    > Windward Reports -- http://www.WindwardReports.com
    > me -- http://dave.thielen.com
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
     
    bruce barker, Jun 27, 2008
    #4
  5. Hi Dave,

    Yes, as Bruce has mentioned, the error entry indicate that the posted form
    data contains illegal characters(such as markup...) which should be
    prevented in html form input. Is such input really expected for your
    ASP.NET page? If so, you can try turn off request in @page directive:

    #ASP.NET Request Validation and Cross-Site Scripting
    http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx

    #Request Validation - Preventing Script Attacks
    http://www.asp.net/learn/whitepapers/request-validation/

    Or if you do want to prevent this in page, as Bruce suggested, the best
    place is validate the input at client-side.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.
    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    >From: David Thielen <>
    >Subject: Re: ASP.NET keeps forcing us to restart IIS
    >Date: Thu, 26 Jun 2008 15:10:05 -0600


    >
    >thanks - dave
    >
    >
    >On Thu, 26 Jun 2008 13:28:00 -0700, bruce barker
    ><> wrote:
    >
    >>tell you users not to type a "<" into any inputbox. you could add a

    regexp
    >>validator to catch it client side. if you want to support entry of "<",
    >>coded your site to prevent injection attacks, then you can turn off

    request
    >>validation.
    >>
    >>-- bruce (sqlwork.com)

    >
    >
    >david@
    >Windward Reports -- http://www.WindwardReports.com
    >me -- http://dave.thielen.com
    >
    >Cubicle Wars - http://www.windwardreports.com/film.htm
    >
     
    Steven Cheng [MSFT], Jun 27, 2008
    #5
  6. Hi;

    Thank you guys - I just assumed everyone handled this properly in the
    code behind so I never thought that a page level check was needed. But
    according to the posts, this is needed.

    So... to keep life simple and have a nicer error message, does anyone
    know what regexp to use to disallow the characters this tests for?
    I'll just put that against our text fields like name, etc - because a
    name can be in Chinese and therefore [A-Z] won't cut it. I figure the
    safe way is to say anything except the disallowed letters.

    thanks - dave


    On Thu, 26 Jun 2008 18:38:02 -0700, bruce barker <>
    wrote:

    >the point is the codebehind (your code) may not handle injection values
    >correctly, so the request processor throws an error. as I wrote, just
    >add a regex validation control to text boxes
    >
    >-- bruce (sqlwork.com)
    >
    >David Thielen wrote:
    >> I'm fine with not allowing a '<' in the input box. How do I set it to
    >> handle this without taking down my site? I thought the ASP.NET
    >> controls were designed to handle this.
    >>
    >> thanks - dave
    >>
    >>
    >> On Thu, 26 Jun 2008 13:28:00 -0700, bruce barker
    >> <> wrote:
    >>
    >>> tell you users not to type a "<" into any inputbox. you could add a regexp
    >>> validator to catch it client side. if you want to support entry of "<",
    >>> coded your site to prevent injection attacks, then you can turn off request
    >>> validation.
    >>>
    >>> -- bruce (sqlwork.com)

    >>
    >>
    >> david@
    >> Windward Reports -- http://www.WindwardReports.com
    >> me -- http://dave.thielen.com
    >>
    >> Cubicle Wars - http://www.windwardreports.com/film.htm



    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 27, 2008
    #6
  7. Hi;

    A follow-up question. Why doesn't the Label control have a property
    where it will HtmlEncode all text making the control safe?

    thanks - dave


    On Fri, 27 Jun 2008 06:18:58 GMT, (Steven
    Cheng [MSFT]) wrote:

    >Hi Dave,
    >
    >Yes, as Bruce has mentioned, the error entry indicate that the posted form
    >data contains illegal characters(such as markup...) which should be
    >prevented in html form input. Is such input really expected for your
    >ASP.NET page? If so, you can try turn off request in @page directive:
    >
    >#ASP.NET Request Validation and Cross-Site Scripting
    >http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx
    >
    >#Request Validation - Preventing Script Attacks
    >http://www.asp.net/learn/whitepapers/request-validation/
    >
    >Or if you do want to prevent this in page, as Bruce suggested, the best
    >place is validate the input at client-side.
    >
    >Sincerely,
    >
    >Steven Cheng
    >
    >Microsoft MSDN Online Support Lead



    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 27, 2008
    #7
  8. Thanks for your reply Dave,

    I think the fact is that the validation is more restricted on input data
    from end user since that's the biggest surface for external
    attack(malicious code maybe injected within data input). For Label
    control, since it display data from our internal data, generally it will
    expect those data to be valid or depend on our application's validatio
    policy(whether we'll encode all output or not...). Label control is
    supportting direct html output. For output that need to be restricted, the
    Literal control provide more flexible settings.

    Sincerely,

    Steven Cheng
    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    >From: David Thielen <>
    >Subject: Re: ASP.NET keeps forcing us to restart IIS
    >Date: Fri, 27 Jun 2008 10:03:27 -0600


    >
    >Hi;
    >
    >A follow-up question. Why doesn't the Label control have a property
    >where it will HtmlEncode all text making the control safe?
    >
    >thanks - dave
    >
    >
    >On Fri, 27 Jun 2008 06:18:58 GMT, (Steven
    >Cheng [MSFT]) wrote:
    >
    >>Hi Dave,
    >>
    >>Yes, as Bruce has mentioned, the error entry indicate that the posted

    form
    >>data contains illegal characters(such as markup...) which should be
    >>prevented in html form input. Is such input really expected for your
    >>ASP.NET page? If so, you can try turn off request in @page directive:
    >>
    >>#ASP.NET Request Validation and Cross-Site Scripting
    >>http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx
    >>
    >>#Request Validation - Preventing Script Attacks
    >>http://www.asp.net/learn/whitepapers/request-validation/
    >>
    >>Or if you do want to prevent this in page, as Bruce suggested, the best
    >>place is validate the input at client-side.
    >>
    >>Sincerely,
    >>
    >>Steven Cheng
    >>
    >>Microsoft MSDN Online Support Lead

    >
    >
    >david@
    >Windward Reports -- http://www.WindwardReports.com
    >me -- http://dave.thielen.com
    >
    >Cubicle Wars - http://www.windwardreports.com/film.htm
    >
     
    Steven Cheng [MSFT], Jun 30, 2008
    #8
  9. That makes sense - thanks


    On Mon, 30 Jun 2008 03:47:54 GMT, (Steven
    Cheng [MSFT]) wrote:

    >Thanks for your reply Dave,
    >
    >I think the fact is that the validation is more restricted on input data
    >from end user since that's the biggest surface for external
    >attack(malicious code maybe injected within data input). For Label
    >control, since it display data from our internal data, generally it will
    >expect those data to be valid or depend on our application's validatio
    >policy(whether we'll encode all output or not...). Label control is
    >supportting direct html output. For output that need to be restricted, the
    >Literal control provide more flexible settings.
    >
    >Sincerely,
    >
    >Steven Cheng
    >Microsoft MSDN Online Support Lead
    >
    >
    >Delighting our customers is our #1 priority. We welcome your comments and
    >suggestions about how we can improve the support we provide to you. Please
    >feel free to let my manager know what you think of the level of service
    >provided. You can send feedback directly to my manager at:
    >.
    >
    >==================================================
    >Get notification to my posts through email? Please refer to
    >http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    >ications.
    >
    >==================================================
    >This posting is provided "AS IS" with no warranties, and confers no rights.
    >--------------------
    >>From: David Thielen <>
    >>Subject: Re: ASP.NET keeps forcing us to restart IIS
    >>Date: Fri, 27 Jun 2008 10:03:27 -0600

    >
    >>
    >>Hi;
    >>
    >>A follow-up question. Why doesn't the Label control have a property
    >>where it will HtmlEncode all text making the control safe?
    >>
    >>thanks - dave
    >>
    >>
    >>On Fri, 27 Jun 2008 06:18:58 GMT, (Steven
    >>Cheng [MSFT]) wrote:
    >>
    >>>Hi Dave,
    >>>
    >>>Yes, as Bruce has mentioned, the error entry indicate that the posted

    >form
    >>>data contains illegal characters(such as markup...) which should be
    >>>prevented in html form input. Is such input really expected for your
    >>>ASP.NET page? If so, you can try turn off request in @page directive:
    >>>
    >>>#ASP.NET Request Validation and Cross-Site Scripting
    >>>http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx
    >>>
    >>>#Request Validation - Preventing Script Attacks
    >>>http://www.asp.net/learn/whitepapers/request-validation/
    >>>
    >>>Or if you do want to prevent this in page, as Bruce suggested, the best
    >>>place is validate the input at client-side.
    >>>
    >>>Sincerely,
    >>>
    >>>Steven Cheng
    >>>
    >>>Microsoft MSDN Online Support Lead

    >>
    >>
    >>david@
    >>Windward Reports -- http://www.WindwardReports.com
    >>me -- http://dave.thielen.com
    >>
    >>Cubicle Wars - http://www.windwardreports.com/film.htm
    >>



    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 30, 2008
    #9
  10. Anyone with a suggested regexp that will allow any common text
    including CJK, hebrew, & arabic?

    On Fri, 27 Jun 2008 09:55:45 -0600, David Thielen
    <> wrote:

    >Hi;
    >
    >Thank you guys - I just assumed everyone handled this properly in the
    >code behind so I never thought that a page level check was needed. But
    >according to the posts, this is needed.
    >
    >So... to keep life simple and have a nicer error message, does anyone
    >know what regexp to use to disallow the characters this tests for?
    >I'll just put that against our text fields like name, etc - because a
    >name can be in Chinese and therefore [A-Z] won't cut it. I figure the
    >safe way is to say anything except the disallowed letters.
    >
    >thanks - dave



    david@
    Windward Reports -- http://www.WindwardReports.com
    me -- http://dave.thielen.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Jun 30, 2008
    #10
  11. David Thielen

    Norm Guest

    On Jun 30, 9:17 am, David Thielen <> wrote:
    > Anyone with a suggested regexp that will allow any common text
    > including CJK, hebrew, & arabic?
    >
    > On Fri, 27 Jun 2008 09:55:45 -0600, David Thielen
    >
    > <> wrote:
    > >Hi;

    >
    > >Thank you guys - I just assumed everyone handled this properly in the
    > >code behind so I never thought that a page level check was needed. But
    > >according to the posts, this is needed.

    >
    > >So... to keep life simple and have a nicer error message, does anyone
    > >know what regexp to use to disallow the characters this tests for?
    > >I'll just put that against our text fields like name, etc - because a
    > >name can be in Chinese and therefore [A-Z] won't cut it. I figure the
    > >safe way is to say anything except the disallowed letters.

    >
    > >thanks - dave

    >
    > david@
    > Windward Reports --http://www.WindwardReports.com
    > me --http://dave.thielen.com
    >
    > Cubicle Wars -http://www.windwardreports.com/film.htm


    "[^><]*" should work. (Just off the top of my head so test,test,test!)

    Also, the HttpRequestValidationException only accounts for half of the
    errors in that list. Having to restart IIS is a separate issue. Quick
    guess: Rapid-fail settings on the application pool.
     
    Norm, Jun 30, 2008
    #11
  12. David Thielen, Jul 1, 2008
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jack Wright
    Replies:
    0
    Views:
    2,275
    Jack Wright
    Dec 21, 2004
  2. =?Utf-8?B?Q2hyaXN0aWFu?=
    Replies:
    1
    Views:
    4,880
    Brock Allen
    Apr 29, 2005
  3. Replies:
    2
    Views:
    482
  4. Replies:
    3
    Views:
    889
  5. Josef Moellers

    Restart Perl Application upon KDE Restart

    Josef Moellers, Jul 18, 2013, in forum: Perl Misc
    Replies:
    18
    Views:
    284
    Adam H. Kerman
    Jul 26, 2013
Loading...

Share This Page