Hi Dave,
Welcome here.
From your description, you're encountering some "Cross Site Attack"
exceptions when you've turned off the pages/@validateRequest setting in
web.config, yes?
As you mentioned that the problem occured sometimes, so this is a randomly
occurs behavior ,yes? If so, I'm wondering whether it is something else
which cause this problem. Have you tried put a simple aspx page with some
entry fields on this and use some SQL injections code to post that page to
see whether it will raise such error? (remain the valiationRequest turn
off..)
Also, is it possible that we isolate the problem to a particular page? If
possible, would you provide some detaild code description on that page so
that we can perform some tests on our side.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| NNTP-Posting-Date: Thu, 10 Nov 2005 22:52:17 -0600
| From: "Dave H" <
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| References: <
[email protected]>
<OV#
[email protected]>
| Subject: Re: validateRequest
| Date: Thu, 10 Nov 2005 20:52:15 -0800
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| Message-ID: <
[email protected]>
| Lines: 34
| NNTP-Posting-Host: 67.180.218.69
| X-Trace:
sv3-g4cR4RmDza6WKwOL6Lvbyv3bHAhbMvXwk8HxXHcmVysDeSoDNpPr54iYxnjb6gptgWAIbn2T
gxG7oh0!O7MKn8SlJCbWOL7RqtNLBM/N0b5lTzkTMqFK/UWgVtDjAHyBsefo3d7F+G/9BtIvzvbG
YFMxfnUa!fXU4
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Complaints-To: (e-mail address removed)
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!nntp.comcast.com!news.comcast.com.POST
ED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357274
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| I'm really wondering more, why this one server has this behavior, and
others
| don't.
|
| | > Dave H wrote:
| > > If put this into my Web.config. Shouldn't this turn off the
| > > ValiateRequest app wide?
| > >
| > > <configuration>
| > >
| > > <system.web>
| > >
| > > <pages buffer="true" validateRequest="false" />
| > >
| > > I pass SQL around to pages, and sometimes, this causes the 'Cross Site
| > > Attack' warning. I just want to turn it off comepltely.
| > >
| > > I also tried just putting it in the page header, I still ghet the
| > > error. Am I missing something else? I only get it on a new server I
| > > just setup, not any of my others.
| > >
| > > Ideas? Thanks, Dave
| > Ummmm - stop passing SQL around to pages?
| > --
| > Microsoft MVP -- ASP/ASP.NET
| > Please reply to the newsgroup. The email account listed in my From
| > header is my spam trap, so I don't check it very often. You will get a
| > quicker response by posting to the newsgroup.
| >
| >
|
|
|