Microsoft Security Bulletin MS11-100 – Critical – Issues and Fixes


Make sure your servers are up to date, but beware of the affects of the update.    Microsoft released a critical .NET Framework up date on Friday, December 30, 2011.  It addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.

Your windows updates may not automatically install this update.  You have to download for the appropriate version of .NET you wish to patch.  It will also require you to update your server upon completion.

Also before installing, verify if you have any applications that handle large amounts of form data.  This can pose a problem.  The update will automatically limit.  This is be cause has added a new method added a new method called ‘ThrowifmaxhttpkeycollectionKeysexceeded‘ which has a default value of 1000.  This means only contain 1000 items upon  postback.  Fix listed below

TechNet Link: http://technet.microsoft.com/en-us/security/bulletin/ms11-100?qstr=CR_CC%3d20111229OOBCA&CR_ID=

Here is some of the known issues it address: http://support.microsoft.com/kb/2638420

I will be keeping this post updated by some of the issues I encounter from the update itself.

Issue #1:

Problem:

Some webform throwing an exception of this type:

Operation is not valid due to the current state of the object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: Operation is not valid due to the current state of the object.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[InvalidOperationException: Operation is not valid due to the current state of the object.]
System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()             +2692302
System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding) +61
System.Web.HttpRequest.FillInFormCollection() +148

[HttpException (0x80004005): The URL-encoded form data is not valid.]
System.Web.HttpRequest.FillInFormCollection() +206
System.Web.HttpRequest.get_Form() +68
System.Web.HttpRequest.get_HasForm() +8735447
System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
System.Web.UI.Page.DeterminePostBackMode() +63
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +133


Solution:
Add this code to your web.config file:

<configuration xmlns=”http://schemas.microsoft.com/.NetConfiguration/v2.0″&gt;
<appSettings>
 <add key=”aspnet:MaxHttpCollectionKeys” value=”5000 ” />
</appSettings>
</configuration>

Advertisements

About Art Hicks

I am Business Owner/Applications Engineer that specializes in providing rich solutions to my clients and colleagues.
This entry was posted in Web Design and tagged , , , . Bookmark the permalink.

30 Responses to Microsoft Security Bulletin MS11-100 – Critical – Issues and Fixes

  1. janaka says:

    Thanks for the post. We were stranded with this error.

  2. jonathan says:

    A developer where I work had the same issue. In our case, the real issue is application design which allows an indeterminate number of form elements to be edited on a single page – it’s db driven so (X records) * (Y fields) = total form elements. Imagine the usability/scalability of a page this large. Obviously MS regards this type of traffic to look more like an attack than normal web application functionality.

    Regardless, thanks for the doing the poking around to find the cause and workaround.

  3. William says:

    We too were having this issue but your solution did not correct it.

    We added the following to the appSettings and this fixed it for us.

    Thanks,

  4. William says:

    Sorry.. we added
    add key=”aspnet:MaxHttpCollectionKeys” value=”5000″

  5. So did you get it to work?

  6. Tom N. says:

    Art, Thank you for documenting this. This seems to wide spread. We are working on cleaning up but the issue seems to be the “encoded form data is not valid”
    If I change the webconfig to limit the maxRequestLength I get a different error saying the limit is exceeded. I changed the MaxHttpCollectionKeys like you showed above to a very small value to test before I tried in production. But I did not recreate the error in the opposite direction.
    Question is: Is there a way to test this if my test site does not have the large amount of data that my production has to throw this error?

    • Art Hicks says:

      It usually happens on a postback. So if you use for example a DataGrid with a alot of objects in it, then a “itemcommand” postback event is invoked, such as edit try to do work in the codebind you should get the error without the workaround.

  7. karbonphyber says:

    Thanks Art & William.

    the original didn’t take effect though 😕
    however, the aspnet:Max…. works a treat!!

  8. Sharada says:

    Thanks so much!! We had the same issue and it worked like a charm!

  9. andy says:

    I would suggest changing the post to have the working solution. I chased my tail on this for hours before I found the aspnet: at the beginning was what was really needed.

  10. Ron says:

    Thank you for this fix. I also used add key=”aspnet:MaxHttpCollectionKeys” value=”5000″.

  11. Mike says:

    I searched all over last night looking for a solution and finally happened up this site. The add key=”aspnet:MaxHttpCollectionKeys” worked GREAT! Thanks!

    • Art Hicks says:

      No Problem. I ran into this problem instantly after updating our servers, and some of our clients higher demand applications were running into this issue. Glad that I could help. 🙂

  12. Sanjay Patel says:

    it’s working fine 🙂

  13. shairag says:

    I have a grid with 950 rows and each row containing 20 fields in it. So putting even 9999 value is also not working for me. Is there a limitation for the max value? This grid is dynamically created. So when I have less rows it is working but for the above situation it is not working. So want to know how much maximum that I can put this value.

  14. junaidameen says:

    We also faced the same issue for one application which is running under .net framework 1.1. The fix to this issue are below:

    1) Open RegEdit on the server.

    2) Navigate to the: HKEY_LOCAL_MACHINE\Software\Microsoft\ASP.NET\1.1.4322.0\

    3) Right-click the node and create a new DWORD.

    4) Name the DWORD key MaxHttpCollectionKeys

    5) Set the value by double-clicking on the new key and entering the desired maximum value (e.g.: 5000). Be sure to select Decimal as the number format here before entering your value.

    6) Re-start IIS. Open a command prompt and type “IISReset” and press enter.

    7) Test the affected page or site again and verify that the issue is resolved.

    • Y Moss says:

      New problem for me and don’t know why it is happening. I am using windows 64 bit versions 2.0.50727.0 are there different instructions to follow?

  15. Ray Storm says:

    Amazing.. It has worked for me. Thank you for the info.

  16. vasujoe says:

    I have a web form where the controls on my form are created dynamically. setting a static value for aspnet:MaxHttpCollectionKey doesn’t work for me. can I set its value to maximum? or is there any way that my application should not check for this exception.

  17. shairag says:

    vasujoe, please send me an email, if you find something

  18. Bill says:

    This helped solve a issue we had in production. Thank you very much for the help.

  19. Sean. Y says:

    It makes sense. I started seeing this error after I installed the .net 3.5 SP1. Previously my users were not getting this error. Now I added this entry to my web.config file and it seems to be working fine.

  20. Thao says:

    Thank you, this worked for us, saved me a lot of time! Our error started off with “The URL-encoded form data is not valid.” whenever we submitted on the Permissions page of our DotNetNuke events module but none of the other modules had the error, so it was even more baffling. This makes sense, the Events module had large amounts of form data compared to the other smaller modules, so when I put in the fix to the web.config, the error went away.

  21. Y Moss says:

    I am using windows 64 bit so should I create a new Qword?

  22. fareeth says:

    Excellent, it works. This post really helped me resolve the issue quickly

  23. UnfifiniJaita says:

    Very good written post. It will be supportive to anybody who usess it, as well as me. Keep up the good work – for sure i will check out more posts.

  24. Gift Jabu Hlongoane says:

    Thanks this was very helpfull

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s