HTTP module to check for canonicalization issues with ASP.NET (887289)


The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.0)
  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 SP1
  • Microsoft .NET Framework 1.0 SP2
  • Microsoft .NET Framework 1.0 SP3
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.1 Service Pack 1 (SP1)
  • Microsoft .NET Framework SDK 1.0
  • Microsoft .NET Framework SDK 1.0 SP1
  • Microsoft .NET Framework SDK 1.0 SP2

SUMMARY

To aid customers in protecting their ASP.NET applications, Microsoft has made available an HTTP module that implements canonicalization best practices. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

887459 Programmatically check for canonicalization issues with ASP.NET

For additional information about how to determine the version of ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:

318785 Determine whether service packs are installed on the .NET Framework

For more information about canonicalization issues with ASP.NET, visit the following Microsoft Web site:

http://www.microsoft.com/security/incident/aspnet.mspx

SYMPTOMS

When a Web server receives a URL, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. Unhandled canonicalization issues can lead to unexpected results. For more information about canonicalization, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh04.asp

RESOLUTION

Microsoft.Web.ValidatePathModule.dll - HTTP module

Download information

The following file is available for download from the Microsoft Download Center:

DownloadDownload the VPModule.msi package now.

Release Date: October 7, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

The VPModule.msi file is designed for the 32-bit Microsoft .NET Framework.

Before you install the VPModule.msi file, back up all the instances of the Machine.config file on your computer. To create a backup copy of the Machine.config file, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Locate every version of the Machine.config file. The Machine.config file or files are located in the following folder, where <framework version number> is the version of the Microsoft .NET Framework that you have installed:

    %windir%\Microsoft.NET\Framework\<framework version number>\CONFIG

    For example, if the .NET Framework 1.1 is installed on drive C, type the following command, and then press ENTER:

    cd /d %windir%\microsoft.net\framework\v1.1.4322\config

  3. Type the following command to create a backup copy of the Machine.config file, and then press ENTER:

    copy machine.config machine.config.bak

Repeat these steps for each instance of the .NET Framework that is installed on your system.

Installation information

Microsoft has released an installation package that is named VPModule.msi. The VPModule.msi file installs the Microsoft.Web.ValidatePathModule.dll file on your system. The installation updates the Machine.config file or files with a new HTTP module entry on all installed versions of .NET Framework.

To use the installation package, download the VPModule.msi file, double-click the package to begin installation, and then follow the installation instructions.

What the VPModule.msi does

The installer first extracts a file that is named Microsoft.Web.ValidatePathModule.dll. The installer then updates all the Machine.config files that exist on the system so that the files have an entry that looks like the following: 
    <system.web>
        <httpModules>
            <add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/>
        </httpModules>
    </system.web>
The installer then adds the Microsoft.Web.ValidatePathModule.dll file to the Global Assembly Cache (GAC).

For developers who want to understand what the Microsoft.Web.ValidatePathModule.dll file does programmatically, the source code is available below: 
namespace Microsoft.Web {
    public class ValidatePathModule : IHttpModule {
        public ValidatePathModule() {
        }
        void IHttpModule.Init(HttpApplication app) {
            app.BeginRequest += new EventHandler(this.OnBeginRequest);
        }
        void IHttpModule.Dispose() {
        }
        void OnBeginRequest(Object source, EventArgs eventArgs) {
            HttpRequest request = (source as HttpApplication).Request;
            string physicalPath = request.PhysicalPath;
            if (request.Path.IndexOf('\\') >= 0 || Path.GetFullPath(physicalPath) != physicalPath) {
                throw new HttpException(404, "Not Found");
            }
        }
    }
}
For information about command-line switches that you can use to install the module, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/command_line_options.asp

Installation verification information

When the module is installed correctly, the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30EFFF0C-573D-46FB-8AD5-00887289261A}

Note This registry key does not exist on the system if you manually install the HTTP module as described in the "Custom installation information" section. The /a option only extracts files. It does not update the registry.

Removal information

To remove these changes, run the VPModule.msi file and select the Remove option. Alternatively, use Add/Remove Programs in Control Panel.

Unattended information

Use the following command to install these changes in unattended mode:

msiexec /i vpmodule.msi /qb-

Use the following command to remove these changes in unattended mode:

msiexec /x vpmodule.msi /qb-

Custom installation information

To manually install the HTTP module, follow these steps:
  1. Back up your Machine.config file or files. For more information about how to do this, see the "Prerequisites" section.
  2. Download the package. For more information about how to do this, see the "Download information" section.
  3. Use the following command to extract the Microsoft.Web.ValidatePathModule.dll file from the VPModule.msi file to a location of your choice:

    msiexec /a vpmodule.msi

  4. Use the following command to copy the module to the GAC:

    gacutil -i microsoft.web.validatepathmodule.dll

    Note The module is extracted to a folder that is named "Microsoft ValidatePath Module" and that is under the location that you specified.
  5. Edit the Machine.config file or files to add the following entry to the <httpModules> section: 
    <add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/>

Known issues

The following are known issues:
  • The installer makes sure that the Machine.config file or files are successfully updated with a <httpModule> entry for the Microsoft.Web.ValidatePathModule.dll file. However, under certain circumstances, this may not stop the described behavior from occurring.

    This behavior could occur if a Web.config file exists, and the Web.config file clears the list that is defined at the Machine.config level. For example, an entry that resembles the following in a Web.config file may cause this behavior: 
    <httpModules>
    <clear/>
</httpModules>
    This configuration prevents the mitigation module from executing in this particular application. This configuration normally occurs when an application does not want to use the HTTP modules that are defined at the Machine.config level, but instead wants to clear the list and then define a new list that is specific to the current application.
  • If you install a different version of the .NET Framework, you must uninstall and then reinstall the VPModule.msi file.
  • For additional information about issues with SQL Server Reporting Services and VPModule.msi, click the following article number to view the article in the Microsoft Knowledge Base:

    887787 You may receive error messages from Reporting Services after you install the ASP.NET ValidatePath Module

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

887405 How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

887404 How to use Systems Management Server 2003 to deploy the ValidatePath module

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

887290 How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)

For more information about session states, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsessionstate.asp

Modification Type:MinorLast Reviewed:10/15/2004
Keywords:kbSecurity kbtshoot KB887289
©2004 Microsoft Corporation. All rights reserved.