security error when trying to host asp.net application, please help
security error when trying to host asp.net application
A potentially dangerous Request.QueryString value was detected from the client (_ccfData="<root><ApplicationDa...").
Description:Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details:System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (_ccfData="<root><ApplicationDa...").
Source Error:
[No relevant source lines] |
Source File:d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\a222cc1f\a429575a\App_Web_iuc0pnby.2.cs
Line:0
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (_ccfData="<root><ApplicationDa...").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +3219534 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +108 System.Web.HttpRequest.get_QueryString() +119 System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +2025160 System.Web.UI.Page.DeterminePostBackMode() +60 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +154 System.Web.UI.Page.ProcessRequest() +86 System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18 System.Web.UI.Page.ProcessRequest(HttpContext context) +49 ASP.login_aspx.ProcessRequest(HttpContext context) in d:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\a222cc1f\a429575a\App_Web_iuc0pnby.2.cs:0 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64 |
Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.210
[3035 byte] By [
Al-Arabi] at [2008-2-14]
You have three options here:
1) If you have access to the application in question (and if it is not exposed to the web) you could look at turning off the security check. The security check is part of ASP.(NET and if you view this page about a third of the way (securing the code section) down they show how to turn it on on both page level and a global level via the web.config. In your case you would change that to false instead of true. Not really a great option to use and I definately wouldn't use it if the application is exposed to the web but maybe in an intranet situation it could work.
2) Use the .Net 2.0 version of CCF, which has an option you can put in the application settings to not pass those parameters. For more details on usage see the CCF .Net 2.0 Developers guide pages 99 and 100. I haven't used it before personally, so unfortunately I can't say more on it.
3) You can write a web adapter which changes the URL to not include the _ccfData bit. This works in CCF .Net 1.1, but fails if your page is doing a redirect (not sure if it effects both redirects via meta refreshes and from HTTP 300 messages, never looked into it that much) as the page after the redirect will get the _ccfData as the redirected page doesn't go through the adapter (a definate pain in the butt and failing of the CCF team to not think that ALL requests should go through the adapter). The adapter is very easy to write as there is an excellant example with CCF in: \SourceCode\Microsoft.Ccf.Samples\DemoCode\CCFDemoApps\ApplicationAdapters
