After updating our systems with the recently released asp.net ms11-100 vulnerability patch, we found that some of our pages crashed with the exception "[HttpException (0x80004005): URL-encoded form data is invalid.]" This is described on asp forums .net here:
http://forums.asp.net/t/1754512.aspx/1?Microsoft+security+bulletin+MS11+100+breaking+our+site
and on stackoverflow here:
ASP.NET MS11-100: how can I change the limit to the maximum number of published form values?
I tried to limit the changes offered by the attack area to a specific page by moving this page to my own folder so that I could have a specific web.config file in this folder with aspnet settings: MaxHttpCollectionKeys has a value that exceeds the default value of 1000.
I found that if I did not specify this parameter in the web.config file in the root folder, this parameter did not take effect. It seemed that asp.net simply ignored the parameter when it was in web.config in a new folder for the page.
Is there anything else I need to do to make this happen? Or is this not possible at all due to the nature of the setting?
fallenprogrammr
source share