A potentially dangerous Request.Path value was detected from the client (&)

4 posts, 0 answers
  1. Dogu Tumerdem
    Dogu Tumerdem avatar
    39 posts
    Member since:
    Sep 2006

    Posted 08 May 2014 Link to this post

    Hi,

    We have a problem and strongly suspicious about telerik components about this request.

    Our firewall and .net seem the below url as dangerous because of first & sign. We checked our scripts and codes which has a potential to generate such a url, but we couldn't find.

    http://xxx/$$$&?&?$$$?cmd=get_file&arg=block_style.css&sid=2721D35AB490C1FAA14DC203E330729AE1AD88B7

    Can you please check that your components may generate such a request url ?

    We are getting first exception and then the second one, even we cannot find any strong relationship between them, they seems sequentially...

    Telerik.Web.UI version : 2012.1.411.40
    Telerik.Web.UI.Skins version : 2012.1.411.40
    Telerik.Web.Design version : 2012.1.411.40

    Thank you,
    dogu

    First exception:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 06.05.2014 08:48:24
    Event time (UTC): 06.05.2014 05:48:24
    Event ID: e2f92e7b72fb4fedbeacc2af4c66ffc3
    Event sequence: 5897
    Event occurrence: 4
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/ROOT-1-130438116095242020
        Trust level: Full
        Application Virtual Path: /
        Application Path: C:\inetpub\wwwroot\
        Machine name: xxx
     
    Process information:
        Process ID: 9652
        Process name: w3wp.exe
        Account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
     
    Exception information:
        Exception type: HttpException
        Exception message: A potentially dangerous Request.Path value was detected from the client (&).
       at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
       at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
     
    Request information:
        Request URL: http://xxx/$$$&?&?$$$?cmd=get_file&arg=block_style.css&sid=2721D35AB490C1FAA14DC203E330729AE1AD88B7
        Request path: /$$$&?&?$$$
        User host address: 1.2.3.4
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
     
    Thread information:
        Thread ID: 148
        Thread account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
        Is impersonating: False
        Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
       at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

    Second Exception:
    System.NullReferenceException: Object reference not set to an instance of an object.
       at Telerik.Web.UI.RadCompression.GetCompressionSettingAttribute()
       at Telerik.Web.UI.RadCompression.ShouldApplyOnPostback()
       at Telerik.Web.UI.RadCompression.ShouldExplicitlyAddContentEncoding()
       at Telerik.Web.UI.RadCompression.application_EndRequest(Object sender, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  2. Marin Bratanov
    Admin
    Marin Bratanov avatar
    3602 posts

    Posted 08 May 2014 Link to this post

    Hello Dogu,

    Our code should not generate such requests. Our controls use webresources extensively, but their URLs are completely different and are generated by .NET.

    What I can suggest at this point is the following:

    • remove RadCompression from the web.config
    • use the scripts and skins CDN to reduce the webresource requests as much as possible to see if they are causing this
    • look into firewall/proxy/other third party software that can truncate/change/block URLs
    • look for url rewriter modules that may be breaking requests
    • try the latest version of our suite (2014.1.403 at present)

    I hope you will manage to find a fix for this situation.


    Regards,

    Marin Bratanov
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Dogu Tumerdem
    Dogu Tumerdem avatar
    39 posts
    Member since:
    Sep 2006

    Posted 08 May 2014 in reply to Marin Bratanov Link to this post

    Thank you Marin. Your comment was very helpful for me.
  5. Dogu Tumerdem
    Dogu Tumerdem avatar
    39 posts
    Member since:
    Sep 2006

    Posted 08 May 2014 in reply to Marin Bratanov Link to this post

    thank you Marin. It's very helpful.
Back to Top