views:

971

answers:

2

In my ASP.NET 1.1 application, I am compressing and replacing the hidden Viewstate variable with an alternate compressed value, stored in a hidden field called __VSTATE. This works well but on a few occasions, submitting a page causes the common "potentially dangerous Request.Form value ..." error.

I examined the __VSTATE value and nothing seems to be potentially dangerous. I was able to reproduce the error with a completely stripped down version of the page and __VSTATE value as shown below. Pressing the submit button causes the error. The page works fine if I change the value to "".

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
  <body MS_POSITIONING="FlowLayout">

    <form id="Form1" method="post" runat="server">
      <input type="hidden" id="__VSTATE" runat="server" value="Onw=" />
      <asp:Button ID="btnSubmit" Runat="server" Text="Submit" />
    </form>

  </body>
</html>

Changing the field name to "MyHiddenWT" made no difference. Removing the runat="server" did stop the error but that just means that .NET only examines server side controls. I also tried some additional values and found that of the following:

"Anw=", "Bnw=", "Cnw=", ... "Nnw=", "Onw=", "Pnw=", ... "Znw=",

"Onw=" is the only one that causes the problem. Is the captial O being seen as an octal value somehow?

Can someone explain why this value is triggering the error message? I'm also looking for a solution but, please, do not tell me to remove page validation. That's the same as saying a car with bad brakes can be fixed by not driving the car.

Thank you in advance.

+1  A: 

My first guess is that it looks like a "OnSomething=" javascript event declaration.

It's a little weird that only the capital O triggers the error, did you test on the lowercase o as well?

Can you try these: "OnClick=", "abc OnClick=", "onclick=", "abc onclick=", "anw=", "bnw=", ...


If "OnSomething=x" javascript is a problem, then simply adding another character to your values should do the trick. Maybe a simple 'v' should do.

<input type="hidden" id="__VSTATE" runat="server" value="vOnw=" />

And then on submit, you remove the extra character before decoding.

Or better yet, upgrade to 2.0.

chakrit
A: 

You've got the essence of the reason. Here's the best link in a response I got from another site:

http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.security/browse_thread/thread/d91d89511401e979

ZLA