dangerous request.form in cuteeditor v6.6

Last post 01-21-2011, 2:17 PM by oompah. 8 replies.
Sort Posts: Previous Next
  •  01-15-2011, 8:57 AM 65731

    dangerous request.form in cuteeditor v6.6

    running cutesoft editor in our production environment, running IIS7 app is asp.net v4.0
     
    In my web.config I have the following set
     
    <pages validateRequest="false" enableEventValidation="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
     
     
    but am still getting this error, please advise
     
     

    Error Report for /FISDOnline(PRODUCTION1). This is a production issue.


    A potentially dangerous Request.Form value was detected from the client (CurrentText="

    ...").

    Description: A validation error has occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Web.HttpRequestValid

    Source Error:

    [No relevant source lines]


    Source File: N/A    Line: N/A

    Stack Trace:

       at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
       at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
       at System.Web.HttpRequest.get_Form()
       at System.Web.HttpRequest.get_HasForm()
       at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
       at System.Web.UI.Page.DeterminePostBackMode()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest()
       at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
       at System.Web.UI.Page.ProcessRequest(HttpContext context)
       at ASP.PopUpSpell.ProcessRequest(HttpContext context)
       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)



    Event Information:

    Event code: 3003 Event message: A validation error has occurred. Event time: 1/15/2011 12:02:07 AM Event time (UTC): 1/15/2011 5:02:07 AM Event ID: 48e376b6feed4dd0aacc79d55cedfc7e Event sequence: 831 Event occurrence: 2 Event detail code: 0 Application information: Application domain: /LM/W3SVC/4/ROOT-1-129395328264068696 Trust level: Full Application Virtual Path: / Application Path: D:\_Webpages\_canned\it_ajax_net2_PUB\ Machine name: PRODUCTION1 Process information: Process ID: 5296 Process name: w3wp.exe Account name: NT AUTHORITY\NETWORK SERVICE Exception information: Exception type: System.Web.HttpRequestValidationException Exception message: A potentially dangerous Request.Form value was detected from the client (CurrentText="

    ..."). Request information: Request URL: https://secure.incident-tracker.com:443/CuteSoft_Client/CuteEditor/SpellCheck.aspx?Culture=en-US Request path: /CuteSoft_Client/CuteEditor/SpellCheck.aspx User host address: 199.184.205.92 User: Is authenticated: False Authentication Type: Thread account name: NT AUTHORITY\NETWORK SERVICE Thread information: Thread ID: 15 Thread account name: NT AUTHORITY\NETWORK SERVICE Is impersonating: False Stack trace: at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.PopUpSpell.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

  •  01-15-2011, 9:01 AM 65732 in reply to 65731

    Re: dangerous request.form in cuteeditor v6.6

    it appears to be in the spell checker function - whne a dangerous html tag is in the editor and spell check is run I get the error
  •  01-18-2011, 7:16 AM 65768 in reply to 65732

    Re: dangerous request.form in cuteeditor v6.6

    customers are complaining about the spellchecker not working - we must use an alternate product (and soon) if you can not get us an answer
     
     
    go here:
     
    https://security.incident-tracker.com/Submit_Incident.aspx
     
    and try the spellchecker
     
    regards
    -Pat
     
  •  01-18-2011, 8:54 AM 65770 in reply to 65768

    Re: dangerous request.form in cuteeditor v6.6

    Dear Pat,
     
    Please open file "\CuteSoft_Client\CuteEditor\SpellCheck.aspx"
    Change
    <%@ Page  Language="C#" ClassName="PopUpSpell"  %>
    to
    <%@ Page  ValidateRequest="false" Language="C#" ClassName="PopUpSpell"  %>
    After done, please test it again.
    Keep me posted.
     
    Thank you for asking
  •  01-18-2011, 3:02 PM 65774 in reply to 65770

    Re: dangerous request.form in cuteeditor v6.6

    you have ValidateRequest listed twice in that pre-processor directive code statement
     
    the two statements otherwise are identical unless the F in false is case sensitive
     
    want to try again?
  •  01-18-2011, 3:32 PM 65776 in reply to 65774

    Re: dangerous request.form in cuteeditor v6.6

    Dear oompah,
     
    Yes, i have changed it, please check spellcheck.aspx and test it again, if this issue is still existing, please forward your web.config and spellcheck.aspx to [email protected] , i will have a trial on my end.
     
    Thank you for asking
  •  01-18-2011, 3:52 PM 65777 in reply to 65776

    Re: dangerous request.form in cuteeditor v6.6

    the SpellCheck.aspx first line already looks like this
     

    <%@ Page Language="C#" ClassName="PopUpSpell" ValidateRequest="False" %>

    my project web.config looks liek this
     
     
    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
     <system.web>
      <machineKey validationKey="A96B2F3BF50A1A2A1B81214A550B89F2A318B3712FB5AC8CD82AF4F3925B3C6ED58CF5F38503629A78BF8C27B1B736C4E84DACE342AB83A42932B44EBC3D7601" decryptionKey="D01201C69DF5E9863133028CBD4E6EEFC45B5E609D7F4107" validation="SHA1" />
      <healthMonitoring enabled="true">
       <rules>
        <add name="All Errors Email" eventName="All Errors" provider="EmailWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:10" />
       </rules>
      </healthMonitoring>
      <pages validateRequest="false" enableEventValidation="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
      </pages>
      <!-- error stuff goes here-->
      <customErrors defaultRedirect="Error.aspx" mode="Off">
       <error statusCode="404" redirect="Error.aspx?e=404" />
      </customErrors>
      <!--
              Set compilation debug="true" to insert debugging
              symbols into the compiled page. Because this
              affects performance, set this value to true only
              during development.
        -->
      <compilation debug="false" targetFramework="4.0">
       <assemblies>
        
        <add assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />
        <add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
        <add assembly="System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /></assemblies>
      </compilation>
     </system.web>
     <location allowOverride="true">
      <appSettings>
       <add key="ProductionServer" value="PRODUCTION1" />
      </appSettings>
      <system.web>
       <sessionState timeout="60" />
      </system.web>
            <system.webServer>
                <httpErrors>
                    <remove statusCode="404" subStatusCode="-1" />
                    <error statusCode="404" prefixLanguageFilePath="" path="/redirects.aspx" responseMode="ExecuteURL" />
                </httpErrors>
            </system.webServer>
     </location>
    </configuration>
     
  •  01-19-2011, 12:04 AM 65781 in reply to 65777

    Re: dangerous request.form in cuteeditor v6.6

    Hi oompah,
     
    Please add the setting below into your web.config
     
    <httpRuntime requestValidationMode=″2.0″ />
     
    Regards,
     
    ken
     
  •  01-21-2011, 2:17 PM 65829 in reply to 65781

    Re: dangerous request.form in cuteeditor v6.6

    great - that fixed it thanks!
View as RSS news feed in XML