DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 887289 - Last Review: December 3, 2007 - Revision: 3.9

On This Page

SUMMARY

To aid customers in protecting their ASP.NET applications, Microsoft has made available an HTTP module that implements canonicalization best practices. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
887459  (http://support.microsoft.com/kb/887459/ ) Programmatically check for canonicalization issues with ASP.NET
For additional information about how to determine the version of ASP.NET, click the following article number to view the article in the Microsoft Knowledge Base:
318785  (http://support.microsoft.com/kb/318785/ ) Determine whether service packs are installed on the .NET Framework

SYMPTOMS

When a Web server receives a URL, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. Unhandled canonicalization issues can lead to unexpected results. For more information about canonicalization, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa302420.aspx (http://msdn2.microsoft.com/en-us/library/aa302420.aspx)

RESOLUTION

Microsoft.Web.ValidatePathModule.dll - HTTP module

Download information

The following file is available for download from the Microsoft Download Center:

Collapse this imageExpand this image
Download
Download the VPModule.msi package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en)

Release Date: October 7, 2004

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

The VPModule.msi file is designed for the 32-bit Microsoft .NET Framework.

Before you install the VPModule.msi file, back up all the instances of the Machine.config file on your computer. To create a backup copy of the Machine.config file, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. Locate every version of the Machine.config file. The Machine.config file or files are located in the following folder, where <framework version number> is the version of the Microsoft .NET Framework that you have installed:
    %windir%\Microsoft.NET\Framework\<framework version number>\CONFIG
    For example, if the .NET Framework 1.1 is installed on drive C, type the following command, and then press ENTER:
    cd /d %windir%\microsoft.net\framework\v1.1.4322\config
  3. Type the following command to create a backup copy of the Machine.config file, and then press ENTER:
    copy machine.config machine.config.bak
Repeat these steps for each instance of the .NET Framework that is installed on your system.

Installation information

Microsoft has released an installation package that is named VPModule.msi. The VPModule.msi file installs the Microsoft.Web.ValidatePathModule.dll file on your system. The installation updates the Machine.config file or files with a new HTTP module entry on all installed versions of .NET Framework.

To use the installation package, download the VPModule.msi file, double-click the package to begin installation, and then follow the installation instructions.

What the VPModule.msi does

The installer first extracts a file that is named Microsoft.Web.ValidatePathModule.dll. The installer then updates all the Machine.config files that exist on the system so that the files have an entry that looks like the following:
    <system.web>
        <httpModules>
            <add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/>
        </httpModules>
    </system.web>
The installer then adds the Microsoft.Web.ValidatePathModule.dll file to the Global Assembly Cache (GAC).

For developers who want to understand what the Microsoft.Web.ValidatePathModule.dll file does programmatically, the source code is available below:
namespace Microsoft.Web {
    public class ValidatePathModule : IHttpModule {
        public ValidatePathModule() {
        }
        void IHttpModule.Init(HttpApplication app) {
            app.BeginRequest += new EventHandler(this.OnBeginRequest);
        }
        void IHttpModule.Dispose() {
        }
        void OnBeginRequest(Object source, EventArgs eventArgs) {
            HttpRequest request = (source as HttpApplication).Request;
            string physicalPath = request.PhysicalPath;
            if (request.Path.IndexOf('\\') >= 0 || Path.GetFullPath(physicalPath) != physicalPath) {
                throw new HttpException(404, "Not Found");
            }
        }
    }
}
For information about command-line switches that you can use to install the module, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa367988.aspx (http://msdn2.microsoft.com/en-us/library/aa367988.aspx)

Installation verification information

When the module is installed correctly, the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30EFFF0C-573D-46FB-8AD5-00887289261A}
Note This registry key does not exist on the system if you manually install the HTTP module as described in the "Custom installation information" section. The /a option only extracts files. It does not update the registry.

Removal information

To remove these changes, run the VPModule.msi file and select the Remove option. Alternatively, use Add/Remove Programs in Control Panel.

Unattended information

Use the following command to install these changes in unattended mode:
msiexec /i vpmodule.msi /qb-
Use the following command to remove these changes in unattended mode:
msiexec /x vpmodule.msi /qb-

Custom installation information

To manually install the HTTP module, follow these steps:
  1. Back up your Machine.config file or files. For more information about how to do this, see the "Prerequisites" section.
  2. Download the package. For more information about how to do this, see the "Download information" section.
  3. Use the following command to extract the Microsoft.Web.ValidatePathModule.dll file from the VPModule.msi file to a location of your choice:
    msiexec /a vpmodule.msi
  4. Use the following command to copy the module to the GAC:
    gacutil -i microsoft.web.validatepathmodule.dll
    Note The module is extracted to a folder that is named "Microsoft ValidatePath Module" and that is under the location that you specified.
  5. Edit the Machine.config file or files to add the following entry to the <httpModules> section:
    <add name="ValidatePathModule" type="Microsoft.Web.ValidatePathModule, Microsoft.Web.ValidatePathModule, Version=1.0.0.0, Culture=neutral, PublicKeyToken=eba19824f86fdadd"/>
    

Known issues

The following are known issues:
  • The installer makes sure that the Machine.config file or files are successfully updated with a <httpModule> entry for the Microsoft.Web.ValidatePathModule.dll file. However, under certain circumstances, this may not stop the described behavior from occurring.

    This behavior could occur if a Web.config file exists, and the Web.config file clears the list that is defined at the Machine.config level. For example, an entry that resembles the following in a Web.config file may cause this behavior:
    <httpModules>
        <clear/>
    </httpModules>
    
    This configuration prevents the mitigation module from executing in this particular application. This configuration normally occurs when an application does not want to use the HTTP modules that are defined at the Machine.config level, but instead wants to clear the list and then define a new list that is specific to the current application.
  • If you install a different version of the .NET Framework, you must uninstall and then reinstall the VPModule.msi file.
  • For additional information about issues with SQL Server Reporting Services and VPModule.msi, click the following article number to view the article in the Microsoft Knowledge Base:
    887787  (http://support.microsoft.com/kb/887787/ ) You may receive error messages from Reporting Services after you install the ASP.NET ValidatePath Module

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
887405  (http://support.microsoft.com/kb/887405/ ) How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
887404  (http://support.microsoft.com/kb/887404/ ) How to use Systems Management Server 2003 to deploy the ValidatePath module
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
887290  (http://support.microsoft.com/kb/887290/ ) How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)
For more information about session states, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/87069683(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/87069683(vs.71).aspx)

APPLIES TO
  • Microsoft ASP.NET 1.0
  • Microsoft ASP.NET 1.1
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 2
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework Software Development Kit 1.0 Service Pack 2
  • Microsoft .NET Framework Software Development Kit 1.0 Service Pack 1
Keywords: 
kbsecurity kbtshoot KB887289
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support