ASP.NET keeps forcing us to restart IIS

[David Thielen]

Hi;

We keep having to restart IIS after ASP.NET kills it. Below is what we
have in the event log. Any idea what the problem is?

thanks - dave

Event code: 3003
Event message: A validation error has occurred.
Event time: 6/23/2008 9:07:24 AM
Event time (UTC): 6/23/2008 3:07:24 PM
Event ID: 2f03e4f296b84e55883e2451ad8be3bd
Event sequence: 28
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/134438206/Root-4-128587031812871768
Trust level: Full
Application Virtual Path: /
Application Path: C:\Inetpub\wwwroot\store\
Machine name: SIMBA

Process information:
Process ID: 2380
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpRequestValidationException
Exception message: A potentially dangerous Request.Form value was
detected from the client
(ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
http://effe...").

Request information:
Request URL: http://store.windward.net/register.aspx
Request path: /register.aspx
User host address: 84.16.224.91
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 1
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.ValidateString(String s,
String valueName, String collectionName)
at
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.register_aspx.ProcessRequest(HttpContext context) in
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)


Custom event details:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

_________________________________________________________
Error: 2

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/22/2008 3:55:32 AM
Event time (UTC): 6/22/2008 9:55:32 AM
Event ID: 3ed9343f80c14d97a8000495dec6bd87
Event sequence: 1
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/Root/vote-10-128586021323611738
Trust level:
Application Virtual Path: /vote
Application Path: c:\inetpub\wwwroot\vote\
Machine name: SIMBA

Process information:
Process ID: 2764
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpException
Exception message: Server cannot access application directory
'c:\inetpub\wwwroot\vote\'. The directory does not exist or is not
accessible because of security settings.

Request information:
Request URL: http://simba.windward.net/vote/register.aspx
Request path: /vote/register.aspx
User host address: 65.55.209.5
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at
System.Web.HttpRuntime.EnsureAccessToApplicationDirectory()
at System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags
hostingFlags)

----------------------------------------------------
Error 3:

Event code: 3003
Event message: A validation error has occurred.
Event time: 6/22/2008 11:42:27 AM
Event time (UTC): 6/22/2008 5:42:27 PM
Event ID: 9b7d368e50d7465fa0192612aa200f34
Event sequence: 55
Event occurrence: 2
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/134438206/Root-5-128585480464695927
Trust level: Full
Application Virtual Path: /
Application Path: C:\Inetpub\wwwroot\store\
Machine name: SIMBA

Process information:
Process ID: 2764
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpRequestValidationException
Exception message: A potentially dangerous Request.Form value was
detected from the client
(ctl00$ContentPlaceHolder1$formRegister$txtUsername="<a href=
http://psil...").

Request information:
Request URL: http://store.windward.net/register.aspx
Request path: /register.aspx
User host address: 84.16.224.91
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 1
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.ValidateString(String s,
String valueName, String collectionName)
at
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.register_aspx.ProcessRequest(HttpContext context) in
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files\root\f713f0b2\5f149ca1\App_Web_flrms-p4.18.cs:line 0
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)


Custom event details:

For more information, see Help and Support Center at

---------------------------------------
Error 4:

Event code: 3003
Event message: A validation error has occurred.
Event time: 6/22/2008 12:13:47 PM
Event time (UTC): 6/22/2008 6:13:47 PM
Event ID: 67a6806ac07a46d28b25026b09d679ee
Event sequence: 477
Event occurrence: 2
Event detail code: 0

Application information:
Application domain:
/LM/W3SVC/1059338337/Root/apps-2-128585473525179216
Trust level: Full
Application Virtual Path: /apps
Application Path: C:\Inetpub\wwwroot\windwardreports\apps\
Machine name: SIMBA

Process information:
Process ID: 2764
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpRequestValidationException
Exception message: A potentially dangerous Request.Form value was
detected from the client
(ctl00$ContentPlaceHolder1$wizConsult$cbNewReleases="...r=215628
<a href="http://foru...").

Request information:
Request URL: http://www.windwardreports.com/apps/consult.aspx
Request path: /apps/consult.aspx
User host address: 12.150.97.253
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 13
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpRequest.ValidateString(String s,
String valueName, String collectionName)
at
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean
dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext
context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.consult_aspx.ProcessRequest(HttpContext context) in
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET
Files\apps\8ac7d19f\a7c0441c\App_Web_yaqibenw.14.cs:line 0
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)


Custom event details:

For more information, see Help and Support Center at

------------------------------------------
Error: 5

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/22/2008 4:40:46 PM
Event time (UTC): 6/22/2008 10:40:46 PM
Event ID: a4d63ab5eb104510b3096559d9a27f53
Event sequence: 27
Event occurrence: 2
Event detail code: 0

Application information:
Application domain:
/LM/W3SVC/1059338337/Root/vote-6-128585510226679682
Trust level: Full
Application Virtual Path: /vote
Application Path: C:\Inetpub\wwwroot\windwardreports\vote\
Machine name: SIMBA

Process information:
Process ID: 2764
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an
object.

Request information:
Request URL: http://www.windwardreports.com/vote/captcha.aspx
Request path: /vote/captcha.aspx
User host address: 65.55.235.201
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 1
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at JpegImage.ProcessRequest(HttpContext context)
in c:\Inetpub\wwwroot\windwardreports\vote\App_Code\JpegImage.cs:line
32
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
Boolean& completedSynchronously)


Custom event details:

For more information, see Help and Support Center at

--------------------------------------
Error: 6

Windows cannot unload your classes registry file - it is still in use
by other applications or services. The file will be unloaded when it
is no longer in use.



For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[bruce barker]

tell you users not to type a "<" into any inputbox. you could add a regexp
validator to catch it client side. if you want to support entry of "<",
coded your site to prevent injection attacks, then you can turn off request
validation.

-- bruce (sqlwork.com)

 

[David Thielen]

I'm fine with not allowing a '<' in the input box. How do I set it to
handle this without taking down my site? I thought the ASP.NET
controls were designed to handle this.

thanks - dave

tell you users not to type a "<" into any inputbox. you could add a regexp
validator to catch it client side. if you want to support entry of "<",
coded your site to prevent injection attacks, then you can turn off request
validation.

-- bruce (sqlwork.com)

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[bruce barker]

the point is the codebehind (your code) may not handle injection values
correctly, so the request processor throws an error. as I wrote, just
add a regex validation control to text boxes

-- bruce (sqlwork.com)

 

[Steven Cheng [MSFT]]

Hi Dave,

Yes, as Bruce has mentioned, the error entry indicate that the posted form
data contains illegal characters(such as markup...) which should be
prevented in html form input. Is such input really expected for your
ASP.NET page? If so, you can try turn off request in @page directive:

#ASP.NET Request Validation and Cross-Site Scripting
http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx

#Request Validation - Preventing Script Attacks
http://www.asp.net/learn/whitepapers/request-validation/

Or if you do want to prevent this in page, as Bruce suggested, the best
place is validate the input at client-side.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

 

[David Thielen]

Hi;

Thank you guys - I just assumed everyone handled this properly in the
code behind so I never thought that a page level check was needed. But
according to the posts, this is needed.

So... to keep life simple and have a nicer error message, does anyone
know what regexp to use to disallow the characters this tests for?
I'll just put that against our text fields like name, etc - because a
name can be in Chinese and therefore [A-Z] won't cut it. I figure the
safe way is to say anything except the disallowed letters.

thanks - dave

the point is the codebehind (your code) may not handle injection values
correctly, so the request processor throws an error. as I wrote, just
add a regex validation control to text boxes

-- bruce (sqlwork.com)

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[David Thielen]

Hi;

A follow-up question. Why doesn't the Label control have a property
where it will HtmlEncode all text making the control safe?

thanks - dave

Hi Dave,

Yes, as Bruce has mentioned, the error entry indicate that the posted form
data contains illegal characters(such as markup...) which should be
prevented in html form input. Is such input really expected for your
ASP.NET page? If so, you can try turn off request in @page directive:

#ASP.NET Request Validation and Cross-Site Scripting
http://weblogs.asp.net/shankun/archive/2004/03/02/82534.aspx

#Request Validation - Preventing Script Attacks
http://www.asp.net/learn/whitepapers/request-validation/

Or if you do want to prevent this in page, as Bruce suggested, the best
place is validate the input at client-side.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Steven Cheng [MSFT]]

Thanks for your reply Dave,

I think the fact is that the validation is more restricted on input data
from end user since that's the biggest surface for external
attack(malicious code maybe injected within data input). For Label
control, since it display data from our internal data, generally it will
expect those data to be valid or depend on our application's validatio
policy(whether we'll encode all output or not...). Label control is
supportting direct html output. For output that need to be restricted, the
Literal control provide more flexible settings.

Sincerely,

Steven Cheng
Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

 

[David Thielen]

That makes sense - thanks

Thanks for your reply Dave,

I think the fact is that the validation is more restricted on input data
from end user since that's the biggest surface for external
attack(malicious code maybe injected within data input). For Label
control, since it display data from our internal data, generally it will
expect those data to be valid or depend on our application's validatio
policy(whether we'll encode all output or not...). Label control is
supportting direct html output. For output that need to be restricted, the
Literal control provide more flexible settings.

Sincerely,

Steven Cheng
Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[David Thielen]

Anyone with a suggested regexp that will allow any common text
including CJK, hebrew, & arabic?

Hi;

Thank you guys - I just assumed everyone handled this properly in the
code behind so I never thought that a page level check was needed. But
according to the posts, this is needed.

So... to keep life simple and have a nicer error message, does anyone
know what regexp to use to disallow the characters this tests for?
I'll just put that against our text fields like name, etc - because a
name can be in Chinese and therefore [A-Z] won't cut it. I figure the
safe way is to say anything except the disallowed letters.

thanks - dave

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Norm]

Anyone with a suggested regexp that will allow any common text
including CJK, hebrew, & arabic?

Hi;

Thank you guys - I just assumed everyone handled this properly in the
code behind so I never thought that a page level check was needed. But
according to the posts, this is needed.

So... to keep life simple and have a nicer error message, does anyone
know what regexp to use to disallow the characters this tests for?
I'll just put that against our text fields like name, etc - because a
name can be in Chinese and therefore [A-Z] won't cut it. I figure the
safe way is to say anything except the disallowed letters.

thanks - dave

david@[email protected]
Windward Reports --http://www.WindwardReports.com
me --http://dave.thielen.com

Cubicle Wars -http://www.windwardreports.com/film.htm

"[^><]*" should work. (Just off the top of my head so test,test,test!)

Also, the HttpRequestValidationException only accounts for half of the
errors in that list. Having to restart IIS is a separate issue. Quick
guess: Rapid-fail settings on the application pool.

 

[David Thielen]

that worked great - thanks - dave

....

"[^><]*" should work. (Just off the top of my head so test,test,test!)

david@[email protected]
Windward Reports -- http://www.WindwardReports.com
me -- http://dave.thielen.com

Cubicle Wars - http://www.windwardreports.com/film.htm