.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
SP
satyapriyanayak
Subhransu Sekhar Jena
abhays
DotnetUser
Post New Web Links

Corrupt URL bypasses ASP.NET 2.0 customErrors settings

Posted By:      Posted Date: September 13, 2010    Points: 0   Category :.NET Framework
 
A recent security scan of our website has identified a vulnerability which appears to be an issue with ASP.NET itself. By passing a seemingly innocuous yet malicious url the user will bypass the customError settings in the web.config and instead of getting a friendly error page, will see the "Server Error in '/' Application." error page. The underlying exception is: [HttpException (0x80004005): xxx is not a valid virtual path.] System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions options) +8855707 This is easily reproduced by creating a simple website project with a Default.aspx page, Error.aspx page and customErrors on pointing to the error.aspx page. Variations of the folllowing url will cause the undesired behavior. http://localhost/Default.aspx/%2fDefault.aspx%3ffree_text%3d This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404 error. It appears that the bug has been fixed in 4.0, but I'm running 3.5. Has anyone seen this issue or have a solution? Just for curiousity it tried the same url on the following sites which exhibit the same bug. http://www.myspace.com/Default.aspx/%2fDefault.aspx%3ffree_text%3d https://www.discountasp.net/Default.aspx/%2fDefault.aspx%3ffree_text%3d  


View Complete Post


More Related Resource Links

Convert English to Arabic number without changing any regional settings in .net

  
Well, most applications that I worked with was multilingual that supports English UI and Arabic UI.

And one of the major issue that we have faced is displaying Arabic numbers without the need of changing the regional settings of the PC.

So the code below will help you to display Arabic number without changing any regional settings.

validateRequest appears to be kicking in in MVC RC1 despite settings

  
After upgrading a project to the RC a System.Web.HttpRequestValidationException is thrown when posting a value containing HTML from a TextArea. I have checked that validateRequest=false in Views/web.config, and have set this in the application's root web.config. I have also created a fresh MVC project, created a simple view & controller and posted a simple html paragraph element with the same result. Call stack provided. [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (html="

hello world

").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8718538 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111 System.Web.HttpRequest.get_Form() +129 System.Web.HttpRequestWrapper.get_Form() +11 System.Web.Mvc.ValueProviderDictionary.PopulateDictionary() +113 System.Web.Mvc.ValueProviderDictionary..ctor(ControllerContext controllerContext) +74 System.Web.Mvc.ControllerBase.get_ValueProvider() +31 System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +53 System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +109 System.W

Web Deployment with IIS settings of remote server

  

Im trying to deploy a web application project (VS 2010) via team build (TFS 2010), i got to use IIS settings of development server for deployment. So from the project properties I configured the web projects to use Custom web server, (enabled radio button), once i do this the Option in the tab Package/Publish Web "Include all IIS Settings as configured in IIS manager" gets disabled and as a result the deployed web project does not have this IIS settings.

What am I missing here, Im not using the option "Use local IIS Web Server" because the build happens in a build server and would try to take local IIS settings for packaging which is not present.

If this is not possible, suggest me any workaround. Any help on this is greatly appreciated.


User Preferences: Manage User Settings in Your .NET App with a Custom Preferences API

  

There are plenty of options out there for managing user preferences including custom configuration files, the Windows registry, and the isolated storage. But each option has its pros and cons -- and a bad choice can make life difficult. In this article, the author evaluates various options and identifies the characteristics of a good preferences API. Based on those characteristics, he introduces an API that is specifically designed for preferences management, one that offers the best of all the options.

Ray Djajadinata

MSDN Magazine July 2004


Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code

  

Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.

Alek Davis

MSDN Magazine November 2003


Page layout list not displaying in page settings

  

Hi

I have 4 different custom page layouts in my publishing site at the site collection level. I have one site named "Services" in site collection. When i create page, i select one page layout from above 4. But when i go to the page settings of that page to change the page layout of it, i can see only one page layout which this page based on.

Problem is why all the page layouts not listing there? I checked "Page layout and site templates" settings from look and feel of Site Settings, this r set to "Pages in this site can use any layout".

Please help..!

Thanks in advance.


Regards

Sandip Patil

Sharepoint Developer

worldofsharepoint.com


Apply custom.master to "Site Settings" page?

  

I'm using a custom.master page, which is applied to almost all pages available to READ users.

However, I'd like to apply it to the Search, Site Settings, and View All Site Content pages.

I'm not sure where this would be applied.

Guidance much appreciated. Thanks!


If you have SharePoint Document Versioning Enabled, do you also use the retention settings?

  
I am looking for stats on how many environments are out there using document versioning in there libraries but are perhaps not selecting the retention settings. (e.g. "Optionally limit the number of versions to retain" section) This as we all know in SharePoint is a major cause of database growth.
Tony Parker, MSCE . MCTP. MCITP "Anything worth doing, is worth doing right"

Programmatically Hide Master Pages from Site Master Page Settings page?

  

Hi,

I know there is a field you can check when you edit the properties of a Master Page in the Master Page Gallery to set a Master Page to hidden but ... can anyone think of a way to programmatically hide specific Master Pages from the Site Master Page Settings page?

Maybe this should be two questions:

  1. How do I programmatically access a Master Page in a Master Page Gallery?
  2. Is there a property that can be set that will hide the page from the Site Master Page Settings page?

corrupt html from custom control on win2003/iis6 box

  

Hello everyone -- first time poster and relative newcomer to the boards.  This bug I'm tackling has me at my wits' end and it's come time to turn to the masses!  If this is posted in the wrong forum and/or has already been addressed, I apologize.  However, I've done thorough searches and haven't come across anything akin to what I'm facing.

I'm working with a website that has a set of custom controls, all descending from a base class.  These controls take DataSets returned from web services and renders custom html via overriding the Render method.  Everything works fine on my local box and my coworker's box (both xp machines running iis 5).  However, on our server (windows server 2003, 64-bit, iis 6), the html rendered by the browser appears corrupt, with garbage replacing individual characters, as follows:

-         

Printing settings?

  
Hi all, I want to print an HTML file using webbrowser control in C# and I want to print it in A5 paper size without showing page setup dialog to the user. What can I do? Please help on this. thanks.

Cross validation report - settings

  
Hi,I am curenttly running a logistic regression model, and a resulting cross validation report, in SQL 2008. A large amount of analysis is done on the data before it is run into the logistic regression algorithm to ensure its predictiveness, and that multicollinearity does not reside with the dataset.Due to the fact that the dataset is streamlined before it is run into the logistic regression algorithm the maximum number of input and output variables are set at 0. The system never exceeds 20 variables at the best of times (Dataset is discrete in nature). The remainder of the settings for the logistic regression algorithm are set at default.The cross validation report settings are as follows: "Data set" - Use test cases   "target attribute" - Applicable variable that is being predicted within the logistic regression algorithm   "target state" - 0   "target threshold" - 95  "test list" - null The issue that I face is that the log score that is usually returned by the cross validation report is negative e.g. gets very close to 0 but never crosses into positive territory. (I interpret this a being not a great result). I have tried to run different datasets through the algorithm, and have adjusted the "target threshold" downwards, but I unfortunately seem to encounter the same issue on each run.Do you have any suggestions as to how this can be improved? Do I for instance,
Categories: 
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend