An ASP.NET request that has lots of form keys, files, or JSON payload members fails with an exception

Article translations Article translations
Article ID: 2661403 - View products that this article applies to.
Expand all | Collapse all

Summary

Microsoft security update MS11-100 limits the maximum number of form keys, files, and JSON members to 1000 in an HTTP request. Because of this change, ASP.NET applications reject requests that have more than 1000 of these elements. HTTP clients that make these kinds of requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code. This new limit can be configured on a per-application basis. Please see the "Resolution" section for configuration instructions.


Symptoms

ASP.NET requests that have lots of form keys, files, or JSON payload receive an error response from the server. The Application log on the server has a Warning entry with a Source that is a specific version of ASP.NET, and an Event ID of 1309. The event log contains one of the following messages:


Message 1:
Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>
Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool

Exception information:
Exception type: HttpException
Exception message: The URL-encoded form data is not valid.
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)


Message 2:
Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>

Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool

Exception information:
Exception type: InvalidOperationException
Exception message: Operation is not valid due to the current state of the object.
at System.Web.HttpRequest.FillInFilesCollection()
at System.Web.HttpRequest.get_Files()
at FileUpload.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint

Message 3:
Application information:
Application domain: /LM/W3SVC/1/ROOT/<App Domain>
Trust level: Medium
Application Virtual Path: <VDIR Path>
Application Path: <App Path>
Machine name: <Machine Name>

Process information:
Process ID: 0001
Process name: w3wp.exe
Account name: IIS APPPOOL\DefaultAppPool

Exception information:
Exception type: InvalidOperationException
Exception message: Operation is not valid due to the current state of the object.
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth)
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth)
at System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer)
at System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit)
at System.Web.Script.Serialization.JavaScriptSerializer.DeserializeObject(String input)
at Failing.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)


The IIS log file shows an entry that resembles the following:
2011-01-01 00:00:00 ::1 POST /machine/default.aspx - 80 - ::1 - 500 0 0 187




Cause

The Microsoft security update that security bulletin MS11-100 addresses changes the default maximum number of form keys, files, and JSON members that ASP.NET will accept in a request to 1,000. This change was made to address the Denial of Service vulnerability that the Microsoft security bulletin MS11-100 documents.


Resolution

Applications that reach this limit for form keys or files can modify the ASP.NET appSetting aspnet:MaxHttpCollectionKeys, as shown below in an ASP.NET application’s configuration file. This setting addresses error message 1 and error message 2 from the "Symptoms" section.
<configuration>
<appSettings>
<add key="aspnet:MaxHttpCollectionKeys" value="1000" />
</appSettings>
</configuration>


Note If you are using ASP.NET 1.1 on an x86-based system, the setting is adjusted by adding a DWORD value to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\1.1.4322.0\MaxHttpCollectionKeys
If you are using ASP.NET 1.1 on an x64-based system, the setting is adjusted by adding a DWORD value to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\1.1.4322.0\MaxHttpCollectionKeys



Applications that hit this limit for JSON payloads can modify the ASP.NET appSetting aspnet:MaxJsonDeserializerMembers, as shown below in an ASP.NET application’s configuration file. This setting addresses error message 3 from the "Symptoms" section.
<configuration>
<appSettings>
<add key="aspnet:MaxJsonDeserializerMembers" value="1000" />
</appSettings>
</configuration>



Note Increasing this value above the default setting increases the susceptibility of your server to the Denial of Service vulnerability that is discussed in security bulletin MS11-100.


References

For more information about security bulletin MS11-100, see the following TechNet article:
Microsoft Security Bulletin MS11-100 - Critical
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2638420 MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011

Properties

Article ID: 2661403 - Last Review: November 22, 2012 - Revision: 6.0
Applies to
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 2.0 Service Pack 1 (x86)
  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.0
  • Windows 7 Service Pack 1, when used with:
    • Windows 7 Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
    • Windows 7 Home Premium
    • Windows 7 Home Basic
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows Server 2008 R2 Service Pack 1, when used with:
    • Windows Server 2008 R2 Standard
    • Windows Server 2008 R2 Enterprise
    • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 Service Pack 2, when used with:
    • Windows Server 2008 for Itanium-Based Systems
    • Windows Server 2008 Datacenter
    • Windows Server 2008 Enterprise
    • Windows Server 2008 Standard
    • Windows Web Server 2008
  • Windows Vista Service Pack 2, when used with:
    • Windows Vista Business
    • Windows Vista Enterprise
    • Windows Vista Home Basic
    • Windows Vista Home Premium
    • Windows Vista Starter
    • Windows Vista Ultimate
    • Windows Vista Enterprise 64-bit Edition
    • Windows Vista Home Basic 64-bit Edition
    • Windows Vista Home Premium 64-bit Edition
    • Windows Vista Ultimate 64-bit Edition
    • Windows Vista Business 64-bit Edition
  • Microsoft Windows Server 2003 Service Pack 2, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Datacenter x64 Edition
    • Microsoft Windows Server 2003, Enterprise x64 Edition
    • Microsoft Windows Server 2003, Standard x64 Edition
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Service Pack 3, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Keywords: 
atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability KB2661403

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com