URGENT HELP PLEASE: A potentially dangerous Request.Form value was detected from the client ... - General Support

Welcome Guest! To enable all features please Login or Register.

Notification

Error

BV Commerce Forum » BV Commerce Support » General Support » URGENT HELP PLEASE: A potentially dangerous Request.Form value was detected from the client ...

URGENT HELP PLEASE: A potentially dangerous Request.Form value was detected from the client ...

Options

Previous Topic Next Topic

CorneliuTusnea		#1 Posted : Tuesday, October 10, 2006 12:14:47 AM(UTC)
Rank: Member Joined: 8/17/2006(UTC) Posts: 681		Guys, I only opened the website few hours ago (not even one day) and I have 76 (senty-six) pages of such messages in the EventLog: A potentially dangerous Request.Form value was detected from the client (ctl00$PostContentColumn$ctl00$KeywordField="<!--#include file="C...").[ at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.bvmodules_categorytemplates_2_grid2_category_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) ] Invalid character in a Base-64 string.[ at System.Convert.FromBase64String(String s) at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) at System.Web.UI.ClientscriptManager.EnsureEventValidationFieldLoaded() ] One of the identified items was in an invalid format.[ at Microsoft.VisualBasic.CompilerServices.Utils.IsHexOrOctValue(String Value, Int64& i64Value) at Microsoft.VisualBasic.CompilerServices.Conversions.ToInteger(String Value) ] Requested Category of id SomeCustomInjectedHeader:injected_by_wvs was not found Requested Category of id ../../../../../../../../boot.ini.html was not found Should I be worried? 1. What can I do to prevent these things? 2. What can I do to not have all these logged if I don't have to be worried? Thanks, Corneliu.
		http://www.bestgames.com.au http://www.bestchess.com.au BV Product Links, Details and Signatures: Improve your customer experience: http://www.acorns.com.au/projects/bv/quicklink/


User Profile View All Posts by User View Thanks

Dean		#2 Posted : Tuesday, October 10, 2006 1:47:34 AM(UTC)
Rank: Member Joined: 2/20/2005(UTC) Posts: 282		You can duplicate the error by placing many common html tags in the text box (example "<b>" ). In your case, it look like someone is up to no good (KeywordField="<!--#include file="C...") You might want to close the store overnight until some skilled eyes get a chance to look at what is going on. I will watch this post to see how everything transpires.


User Profile View All Posts by User View Thanks

CorneliuTusnea		#3 Posted : Tuesday, October 10, 2006 4:40:47 AM(UTC)
Rank: Member Joined: 8/17/2006(UTC) Posts: 681		Ok. I found the "guilty" person. One of my friends whom I asked to check and test my website tried to see how fast does it fail. It didn't. I had 768 message in the event log, about 700 of them related to his tests. No "strange" behaviour of the website for now :) All good for now. Also it's worth noticing to configure your web.config with: <customErrors mode="On" ... and some error page. Regards, Corneliu.
		http://www.bestgames.com.au http://www.bestchess.com.au BV Product Links, Details and Signatures: Improve your customer experience: http://www.acorns.com.au/projects/bv/quicklink/


User Profile View All Posts by User View Thanks

Matt@9BallDesign		#4 Posted : Tuesday, October 10, 2006 6:25:55 AM(UTC)
Rank: Member Joined: 12/23/2003(UTC) Posts: 909		Originally Posted by: "Corneliu" (tried to see how fast does it fail. It didn't.) Good Work BV!!
		Matt Martell http://www.9balldesign.com - Web, Print, Graphic http://www.martellhardware.com/ - Decorative & Builder's Hardware ------------------------------------------------


User Profile View All Posts by User View Thanks

Dean		#5 Posted : Tuesday, October 10, 2006 8:28:38 AM(UTC)
Rank: Member Joined: 2/20/2005(UTC) Posts: 282		Originally Posted by: "Corneliu" Also it's worth noticing to configure your web.config with: <customErrors mode="On" ... and some error page. Always! You don't want your customer seeing an ugly error page. A well worded error page that matches the theme on your site can maintain the customer's trust in your site when things don't go just the way they should. The standard system error page would probably cause your shopper to take a hike.


User Profile View All Posts by User View Thanks

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.