views:

47

answers:

1

This is a follow up to my post back in August: http://stackoverflow.com/questions/1225042/asks-for-ad-credentials-connection-interrupted-on-postback

The issue popped up again for a new record and I have determined that the offending text is "... Sharepoint site[semi-colon] update team schedule ...". Notice that "[semi-colon] update team"? It's perfectly valid, not SQL injection. Change it to a comma, it submits no problem. Change the "update" to another SQL keyword, the user gets prompted for their credentials (which are always rejected) and then displays the IIS 401.1 page.

Yes, you need to replace the [semi-colon] with the character, because SO won't let me post.

In the @Page, I have ValidateRequest="false" (yes, the contents from the textboxes are going through HttpUtility.HtmlEncode as parameterized input to a stored procedure)

Any ideas?

+1  A: 

This sounds like a load balancer or similar that is seeing ;update and suspecting SQL injection. Look for a piece of offending hardware between you and the web server.

To confirm, try posting the offending text from a session directly on the web server itself. I am guessing that you will have no problem doing so.

RedFilter
Thanks! This appears to be the case, when I find out *what* piece of equipment it is, I'll update for anyone else who happens upon this.
weffey
I just got confirmation that the intrusion detection system is 100% to blame. Thanks again.
weffey