IIS Crash

Feb 27, 2008 at 2:57 PM
Hello,
it worked properly for 2 days, than I installed latest version of february and I got the following error:

Faulting application w3wp.exe, version 6.0.3790.3959, faulting module ISAPIClipSQLInjection.dll, version 0.0.0.0, fault address 0x00002b65

I've also a question: does it generate a log similar to URLScan ?

Thanks

Vittorio
Coordinator
Mar 2, 2008 at 8:10 PM
Hi Vittorio,


I have never seen this error. Probably it has something to do with the installation of the new version. Try to do the following:

1. Install the previous version.
2. Install the new version in another destination (i.e. another folder).
3. Stop IIS if it is runnning.
4. Copy the new DLL over the old one.
5. Follow the video instruction and see if the command line test application is working.
6. Point to the appropriate folder.

For what you mentioned it seems Boost Dlls are not in the right spot. Testing with the command line application can help you assure you this.

Let me know if you have any further problem.

Thanks,

Rodney
Mar 4, 2008 at 8:05 AM
Hi Rodney,
I followed your instructions but IIS crashed again... I also tested with the command line application but it worked like a charm !
Have you got any other suggestion ?
Thanks

Vittorio
Coordinator
Mar 5, 2008 at 3:48 PM
Hi Vittorio,

I would be more than happy to debug this situation. If you can send me an application that can replicate the error you are facing, I would appreciate. Please don't send me your full application with your business rules and company secrets. I just want something to replicate the error while debugging.

Thanks,

Rodney
Mar 10, 2008 at 5:51 PM
Hi Rodney,
unfortunately I can't send you the application since my customer didn't sign a Non Disclosure Agreement.
Since I'm very interested into your ISAPI Filter, I'll test soon with other web application and I'll let you know.
If you want to get more details, contact me by e-mail.
Regards

Vittorio
Apr 23, 2008 at 7:15 PM
Hi,

I just wanted to chime in on this. I downloaded the View State app and installed it in IIS 6. Followed all steps for set up but when I try to run the test app I get the same error. Uninstalled this version, installed the older dll and was able to get the test pages and exe to run fine. Copied over the newer dll as you suggested and the test exe runs fine but the test asp pages stop working again and crash IIS.

BTW I did install the C++ runtime before hand as suggested. Also did at 2 reboots and many IIS restarts.

Thanks,

Dave
Apr 24, 2008 at 12:43 AM
As a follow up to this:

I was able to download the source code, get it all set up on my development machine to build and once I did rebuild it, it worked great. So there must be some environment piece that we were missing that it replaced with what we had.

Thanks for your work on this.

Dave
Coordinator
Apr 27, 2008 at 8:57 AM
Hi Dave,

Thanks for your feedback. I will review my installation project and try to test it in a clean virtual machine. I am really glad you had solved your problem.

Thanks,

Rodney
May 12, 2008 at 9:27 AM
I have the same problem: the ASP only version worked a treat (great video tutorial by the way - thanks for that!) but then i realised that the .NET apps were not working - i should have read your site better, sorry - so i replaced the files in the installation folder with the ones from the updated msi file (I had to install on another machine and then FTP over as the control panel would not let me uninstall the older version) and performed a iisreset

i then got the same error as in this thread. Any chance of an updated copy of the file, Rodney? i can see that Zamar / Dave managed to recompile and get it to work but i don't have the development environment setup here to do that... Perhaps you could email it to me Dave if you are feeling generous?

I have clients breathing down my neck today to get this working after an injection attack last week so i'm reluctant to remove the working ASP only version until the .NET version is working you know?

thanks guys, this filter is soooo helpful, keep up the good work.

glenn
Coordinator
May 14, 2008 at 5:58 AM
Hi Glenn,

Thanks for your feedback. I tested the install for ASP.NET and it seems something went wrong when I created the package.
 
I put together another installation package and it worked fine in my environment. Please download the new version 1.1 and let me know how it did. I would really appreciate your feedback either way.

Thanks,

Rodney

gstring570 wrote:
I have the same problem: the ASP only version worked a treat (great video tutorial by the way - thanks for that!) but then i realised that the .NET apps were not working - i should have read your site better, sorry - so i replaced the files in the installation folder with the ones from the updated msi file (I had to install on another machine and then FTP over as the control panel would not let me uninstall the older version) and performed a iisreset

i then got the same error as in this thread. Any chance of an updated copy of the file, Rodney? i can see that Zamar / Dave managed to recompile and get it to work but i don't have the development environment setup here to do that... Perhaps you could email it to me Dave if you are feeling generous?

I have clients breathing down my neck today to get this working after an injection attack last week so i'm reluctant to remove the working ASP only version until the .NET version is working you know?

thanks guys, this filter is soooo helpful, keep up the good work.

glenn


May 14, 2008 at 3:45 PM
Hey Rodney,

I've been following this thread since yesterday, and it works with your latest package. Thanks!

There's one thing that I'm not sure how to deal with. Here's the situation:

1. I got a ASP.NET application
2. I got a textbox
3. I type something legitimate like "Cris's very cool textbox. It's sooooo cool it's got sunglasses"
4. I have a button that make a roundtrip to the server.
5. I press it. Now I got in my text box "Cris''s very cool textbox. It''s sooooo cool it''s got sunglasses"
6. I press it again and I get "Cris''''s very cool textbox. It''''s sooooo cool it''''s got sunglasses"
7. It's doubling the single quotes with each roundtrip to the server.

Not sure it's supposed to work like this.... any suggestions?
Coordinator
May 14, 2008 at 7:40 PM
Hi Cris,

I am afraid you have to handle these cases in the code. I had a similar problem with the client I first wrote this ISAPI for. In this case I just changed the code to "restore" double ('') single-quotes before resending the page (and after concatenating the SQL query). I repeat your question: do you have any better suggestion?

Thanks,

Rodney

crist_co wrote:
Hey Rodney,

I've been following this thread since yesterday, and it works with your latest package. Thanks!

There's one thing that I'm not sure how to deal with. Here's the situation:

1. I got a ASP.NET application
2. I got a textbox
3. I type something legitimate like "Cris's very cool textbox. It's sooooo cool it's got sunglasses"
4. I have a button that make a roundtrip to the server.
5. I press it. Now I got in my text box "Cris''s very cool textbox. It''s sooooo cool it''s got sunglasses"
6. I press it again and I get "Cris''''s very cool textbox. It''''s sooooo cool it''''s got sunglasses"
7. It's doubling the single quotes with each roundtrip to the server.

Not sure it's supposed to work like this.... any suggestions?



Jun 27, 2008 at 2:17 PM
Hi Rodney,

I installed the asp.net version on one of our sites that runs asp and asp.net. It works great for pages that are asp, but when a user accesses an aspx page, eventually the iis worker process shuts down.

The error message:

Faulting application w3wp.exe, version 6.0.3790.3959, faulting module msvcr80d.dll, version 8.0.50727.42, fault address 0x00052758.

Once we removed the wildcard from our site, we no longer get those errors in the event log. We would like to use the filter but cannot because of this issue. Can you help?

Thanks
Gordon

Jun 30, 2008 at 1:47 PM
Hi Rodney,

We have the same issue as GordonP (and others). The filter works great, and I don't want to remove it because it seems to be denying attacks fairly frequently. The IIS worker process errors are happening regularly too (perhaps coincident with an attempted attack?). Hard to tell from the error itself "Faulting application w3wp.exe, version 6.0.3790.3959, faulting module msvcr80d.dll, version 8.0.50727.42, fault address 0x00052758". Because I didn't want to remove the filter, I worked around the errors by making my IIS application pools fault tolerant (i.e. they don't shut down after 5 bad processes). Anything you can do to resolve this error issue would be greatly appreciated however.

Thanks,

JohnM
Coordinator
Jun 30, 2008 at 5:02 PM
Edited Jun 30, 2008 at 5:04 PM

Gordon and John,

 

If you give me the steps to reproduce the problem I would be more than glad to investigate and resolve the problem.

Thanks,

Rodney

Jun 30, 2008 at 9:02 PM

Rodney,

Thanks for the response.

I installed your filter on our server according to your instructions for the ASP.Net-friendly version, ran a successful test using your test project, then installed it on my ASP and ASP.Net sites using the same procedures. The IIS worker process errors just started happening after that. Unfortunately it's not possible to track down exactly which application is having the problem at any one time. We get about one of these errors an hour, sometimes more. I removed the filter from our ASP.Net applications, since they are already pretty well protected with validations and parameterization, and the errors seem to have ceased - maybe one or two over 6 hours. It's got to be some problem with the filter, since other people are seeing this too. Any ideas?

Thanks,

John