This is a migrated thread and some comments may be shown as answers.

A potentially dangerous Request.Path value was detected from the client (&)

2 Answers 454 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Dogu
Top achievements
Rank 1
Dogu asked on 08 May 2014, 08:52 AM
Hi,

We have a problem and strongly suspicious about telerik components about this request.

Our firewall and .net seem the below url as dangerous because of first & sign. We checked our scripts and codes which has a potential to generate such a url, but we couldn't find.

http://xxx/$$$&?&?$$$?cmd=get_file&arg=block_style.css&sid=2721D35AB490C1FAA14DC203E330729AE1AD88B7

Can you please check that your components may generate such a request url ?

We are getting first exception and then the second one, even we cannot find any strong relationship between them, they seems sequentially...

Telerik.Web.UI version : 2012.1.411.40
Telerik.Web.UI.Skins version : 2012.1.411.40
Telerik.Web.Design version : 2012.1.411.40

Thank you,
dogu

First exception:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 06.05.2014 08:48:24
Event time (UTC): 06.05.2014 05:48:24
Event ID: e2f92e7b72fb4fedbeacc2af4c66ffc3
Event sequence: 5897
Event occurrence: 4
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1/ROOT-1-130438116095242020
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\
    Machine name: xxx
 
Process information:
    Process ID: 9652
    Process name: w3wp.exe
    Account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
 
Exception information:
    Exception type: HttpException
    Exception message: A potentially dangerous Request.Path value was detected from the client (&).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
 
Request information:
    Request URL: http://xxx/$$$&?&?$$$?cmd=get_file&arg=block_style.css&sid=2721D35AB490C1FAA14DC203E330729AE1AD88B7
    Request path: /$$$&?&?$$$
    User host address: 1.2.3.4
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
 
Thread information:
    Thread ID: 148
    Thread account name: IIS APPPOOL\ASP.NET v4.0 DefaultAppPool
    Is impersonating: False
    Stack trace:    at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Second Exception:
System.NullReferenceException: Object reference not set to an instance of an object.
   at Telerik.Web.UI.RadCompression.GetCompressionSettingAttribute()
   at Telerik.Web.UI.RadCompression.ShouldApplyOnPostback()
   at Telerik.Web.UI.RadCompression.ShouldExplicitlyAddContentEncoding()
   at Telerik.Web.UI.RadCompression.application_EndRequest(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

2 Answers, 1 is accepted

Sort by
0
Marin Bratanov
Telerik team
answered on 08 May 2014, 12:44 PM

Hello Dogu,

Our code should not generate such requests. Our controls use webresources extensively, but their URLs are completely different and are generated by .NET.

What I can suggest at this point is the following:

  • remove RadCompression from the web.config
  • use the scripts and skins CDN to reduce the webresource requests as much as possible to see if they are causing this
  • look into firewall/proxy/other third party software that can truncate/change/block URLs
  • look for url rewriter modules that may be breaking requests
  • try the latest version of our suite (2014.1.403 at present)

I hope you will manage to find a fix for this situation.


Regards,

Marin Bratanov
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
0
Dogu
Top achievements
Rank 1
answered on 08 May 2014, 02:34 PM
thank you Marin. It's very helpful.
Tags
General Discussions
Asked by
Dogu
Top achievements
Rank 1
Answers by
Marin Bratanov
Telerik team
Dogu
Top achievements
Rank 1
Share this question
or