| Author |
 Topic  |
|
Podge
Support Moderator
Ireland
3775 Posts |
 Posted - 20 September 2005 : 17:15:06
|
Not sure if I should have posted this on the main forum or not so I thought I would post it here first and then move it if necessary.
I'm pretty sure that this line brought down one of my servers twice.
if request("ARCHIVE") = "true" then <-- this line here
strActivePrefix = strTablePrefix & "A_"
ArchiveView = "true"
else
strActivePrefix = strTablePrefix
ArchiveView = ""
end if
Should it not be - if request.QueryString("ARCHIVE") = "true" then
I have about five instance of this in the event logs
Error: File /post_info.asp Line 46 Operation not Allowed. .
Then this
Faulting application w3wp.exe, version 6.0.3790.1830, faulting module unknown, version 0.0.0.0, fault address 0x00000103.
Then finally this
ISAPI 'C:\WINDOWS\system32\inetsrv\asp.dll' reported itself as unhealthy for the following reason: 'ASP unhealthy because 100% of executing requests are hung and 0% of the request queue is full.'.
If the QueryString method is left out it appears that a malicious user could send any type of object to post_info.asp named "ARCHIVE" like a huge binary file, etc. which the server would accept.
What do you guys think?
< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
Edited by - Podge on 21 September 2005 08:01:39 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 20 September 2005 : 17:42:35
|
Both syntaxes are legal AFAIK. If you do not specify the collection, you could get a degradation in performance, but in fact, when you do not specify the collection, QueryString is the first to be searched, so, in the specific case of a QueryString variable, maybe not even the degradation performance will occur.
As a standard coding procedure, however, I prefer to specify the collection.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
 |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 20 September 2005 : 19:02:04
|
Actually no it shouldn't be request.QueryString("ARCHIVE") , the value of ARCHIVE may come in the querystring or the form post, hence the reason it only specifies the request object.
quote:
If the QueryString method is left out it appears that a malicious user could send any type of object to post_info.asp named "ARCHIVE" like a huge binary file, etc. which the server would accept
Doesn't make any difference whether you specify the method or not, I can still post a binary string to it as long as I know which method it is< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 20 September 2005 : 19:10:53
|
I guess I won't find out exectly what happened until I go through the logs. Problem is that its a gigabyte in size. Any one know of a tool to search logs?
I think that the sub collection should be used at all times. Take this example in down.asp (this is not a security flaw just an example);
mlev is stored in a cookie.
Request("mlev") is used in down.asp to decide whether to display the Admin Login link or not based on the value.
Clear your cookie or use another browser
add ?mlev=4 to the end of the url in your address bar
down.asp ignores the cookie value, takes the querystring value and displays the admin area login & password boxes to a normal user.
I know you could just goto admin_home.asp but thats not the point.< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 20 September 2005 : 20:45:50
|
quote:
down.asp ignores the cookie value, takes the querystring value and displays the admin area login & password boxes to a normal user.
so what, you still need to login, so how is it a security risk, making it say request.querystring("mlev") would make absolutely no difference to your scenario, and once again, down.asp can be called via the querystring or from a form post so again needs to check both methods. and what does it have to do with request("ARCHIVE") anyway< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 07:32:52
|
quote:
Then it should be
if Request.QueryString("ARCHIVE") = true or Request.Form("ARCHIVE") = true
It does not matter, there is no security problem with this, and since querystring and form are the first two in the collection there is no real speed issue either, and it is less code to say request("ARCHIVE")< |
Edited by - HuwR on 21 September 2005 07:33:06 |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
Posted - 21 September 2005 : 07:59:45
|
Thanks Huwr for your input, I have changed the subject of this topic.
These are the reasons I would change it to the fully qualified sub collection.
1. Why would you want to have the system search for it when you can explicitly state where the collection is available (less work for the server)
2. Its less readable and bad programming practice. It wouldn't be such a burden to do it properly.
Any idea whats happening in my first post? The server is using about 10% cpu on average and have about 1.5 GB free memory. I still believe its more of an IIS issue and has little to do with Snitz.< |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 09:26:39
|
quote:
1. Why would you want to have the system search for it when you can explicitly state where the collection is available (less work for the server)
As I pointed out above, it is not, both examples you site could be in either the querystring or the form collection, so request("member") is both neater and less code than using request.querstring("member") or request.form("member") and in this instance will not be any slower or quicker.
quote:
2. Its less readable and bad programming practice. It wouldn't be such a burden to do it properly.
Again for the same reasons I disagree, who says it is "Bad" programming practice ???????
quote:
Any idea whats happening in my first post? The server is using about 10% cpu on average and have about 1.5 GB free memory. I still believe its more of an IIS issue and has little to do with Snitz.
In my own experience dealing with asp & IIS, the errors you are getting are a consequence of asp having crashed rather than the actual cause, biggest culprit for crapping out asp is Access databases i'm afraid, ADO has many memory leaks and the Jet drivers are one of the worst culprits for clogging up a web server.
< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 12:44:38
|
quote:
Originally posted by Podge
I understand your point of view Huwr, mine just differs from you.
Microsoft strongly recommend specifying the sub collection here -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/9768ecfe-8280-4407-b9c0-844f75508752.asp
quote:
It is strongly recommended that when referring to members of a collection the full name be used. For example, rather than Request.("AUTH_USER") use Request.ServerVariables("AUTH_USER"). This allows the server to locate the item more quickly.
I'm afraid you picked a bad example, it is quicker here because AUTH_USER is in the servervariables collection which means that it will have to parse through querystring and the form before getting to servervariables, so obviously it is quicker, however in the two instances you quote from Snitz, we want to get the value either from the querystring or the form, so there is NO difference in the speed at which it retrieves the value if you use request("myvalue") or if you use (request.querystring("myvalue") or request.form("myvalue")) in fact if the value is in the querystring then just using request("myvalue") will actually be faster since it doesn't check the form collection, which you do when having to use the querystring OR form method quote:
quote:
biggest culprit for crapping out asp is Access databases I'm afraid
The sql oledb provider is the only database driver being used.
Then it could be anything, and maybe nothing  , I have had sites that persistently caused IIS to crash, but when moved to another pretty identical server behaved perfectly happily, ASP & IIS is a bit of a hit and miss affair in general I'm afraid< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 12:57:49
|
| and just because MS recommends you do something one way does not make it "bad" to do it another< |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 13:43:19
|
Yes, it will check them all, but since this is down.asp performance is not really an issue.
mlev is not stored in your cookie by the way.< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 21 September 2005 : 13:56:11
|
| In any case, I can't see that this would be the cause of your crashing, it is just going to take a fraction of a second longer to parse the request object, to get a value or the entire object if a value does not exist, it isn't doing anything that would cause it to crash< |
|
|
|
Topic |
|
Possible Enhancement
