A dangerous bug: Bad characters in request caused endless loop

A dangerous bug: Bad characters in request caused endless loop SearchSearch
Author Message
Anonymous
 
Posted on Thursday, November 17, 2005 - 07:50 am:   

Hi Bryce,
Looks like I found a dangerous bug: with the following request, your 2-way SMS engine stuck in an endless loop:
[SMS-IN]
ModemName=SMPP - xxx.xxx.xxx.xxx:xxxx
Sender=+xxxxxxxxxxx
PhoneNumber=+xxx
Data=<a>
Binary=0
ReceiptRequested=Yes
Furthermore, the SMSDEBUG.LOG and the IIS log will soon flood the whole hard disk. Here is what the SMSDEBUG.LOG says:
...
[HttpRequestValidationException]: A potentially dangerous Request.QueryString value was detected from the client (SMSPrefix=&quot;&lt;a&gt;&quot;).
at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
at System.Web.HttpRequest.get_QueryString()
at System.Web.UI.Page.GetCollectionBasedOnMethod()
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain()
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Ex ecute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
...
Interesting that with the request string of
...
Data=<>
...
it will be fine.
Please advice!
Thank you and BR
Levi
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 5321
Registered: 10-2002
Posted on Friday, December 02, 2005 - 08:15 pm:   

Hi Levi,

Apologies for not replying to this earlier.

But I do have to explain that the errors that you see in the SMSDEBUG.LOG are coming from the 2-way command that you have generated.

It might look like a dump coming from NowSMS, but it's not ... it's the HTTP response from your 2-way command. (It looks like a Java exception report, and NowSMS is not written in Java.)

What is likely happening is that the script that is handling your 2-way command has a bug in it.

This particular request causes the script to crash, and it returns an error response with this content.

The looping occurs because if NowSMS encounters an error in an HTTP response, it assumes that there is a temporary error in the web server that is running the 2-way script, so it retries.

But basically, it looks like there is an error in the 2-way script that you are executing which needs to be fixed.

-bn
Levi
New member
Username: Levi

Post Number: 4
Registered: 12-2003
Posted on Tuesday, December 06, 2005 - 05:41 am:   

Hi Bryce,
I'm glad that you are back - I thought that the topic is abandoned.
My 2-way command handler was written in ASP.NET and there is nothing to do with it. I debuged it and it is clear that the ASP.NET page was never got called.It is sure that there is something happened when NowSMS was trying to invoke the command. Just use a fake aspx page - any will do and put a wrong request like <a> - you will get the bug. I'm using IIS under Win server 2003.
Here is my 2-way command:
http://localhost/SMSPullRequestHandler/Fake.aspx?ReceiveNo=@@RECIP@@&RequesterNo=@@SENDER@@&SMSPrefix=@@SMSPREFIX@@&SMS=@@SMS@@
I attached the debug file here so you can trace the bug.
Please help - It is really dangerous!
Thanks and BR
Levi
application/octet-streamSMS.DEBUG
SMSDEBUG.LOG (12.8 k)
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 5395
Registered: 10-2002
Posted on Tuesday, December 20, 2005 - 07:53 pm:   

Hi Levi,

I'm still here, just currently overwhelmed by the volumes of support queries as we prepare a major new release.

Regarding this issue, I'm sorry, but I don't know what to tell you.

The request may not be reaching your script, but your web server is rejecting the request ... and generating the error message that you see in the SMSDEBUG.LOG.

NowSMS is simply retrying the request, because the web server is returning an error. It looks like the web server does not like "<" and ">" characters to appear in a query string.

I'm not sure what we could or should do about this.

I suppose we should add retry logic to stop retrying 2-way commands if we get repeated errors from the server.

I did a web search to locate this particular error, and basically, my suggestion would be that you should disable ASP.Net request validation, so that the presence of "<" and ">" will not cause the request to be rejected. (ASP.Net blocks these characters for good reason, but seeing as your script is not being used for generating a web page, but for a 2-way command, you should be fine.)

I'm not an ASP.Net expert, but based upon a link that I found in my search, I believe you need to either add a ValidateRequest attribute to the page or in the web.config.

By default ValidateRequest is set to true to ensure secure code. Validation can occur at a page level, for example:

<%@ Page ... validateRequest="false" %>

Or by default in the web.config:

<system.web>
<pages validateRequest="false" />
</system.web>

Here is a link with some more details on ASP.Net request validation:

http://www.asp.net/faq/RequestValidation.aspx?tabindex=0&tabid=1


-bn
Levi
New member
Username: Levi

Post Number: 5
Registered: 12-2003
Posted on Wednesday, December 21, 2005 - 09:48 am:   

Hi Bryce,
That is what I call a nice support!I was trying to solve the problem by writing a Monitor app which constantly watching the SMS-IN for bad requests and remove it. But your solution is the ultimate one.
Once again many thanks and Merry XMas!
BR Levi