Latest Microsoft Security Hotfix breaks MbCompression

Oct 11, 2010 at 9:28 AM

After installing the lastest Microsoft Security Hotfix KB2416417 (http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx) our webb applications on all development machines stopped working, throwing the exception "Unable to validate data". We finally tracked the problem down to MbCompression and after removing it from web.config we managed to get things working.

Hope this helps someone else too.

/ Olof

Oct 11, 2010 at 6:17 PM
olofto wrote:

After installing the lastest Microsoft Security Hotfix KB2416417 (http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx) our webb applications on all development machines stopped working, throwing the exception "Unable to validate data". We finally tracked the problem down to MbCompression and after removing it from web.config we managed to get things working.

Hope this helps someone else too.

/ Olof

Thanks for posting this... would be interested to hear if anyone comes up with a fix. Due to time constraints we're just removing mbcompression as well.

Oct 12, 2010 at 4:33 AM

I encountered the same thing since yesterday. Are there no quick fix for this except from removing MBCompression?

Oct 12, 2010 at 8:43 AM

Can somebody tell me on what IIS it happen?

IIS6 / IIS 7 ?

Thanks

Oct 12, 2010 at 8:52 AM

For me: IIS7 on Windows 7.

 

Oct 12, 2010 at 11:01 AM

I installed this update on my machine (IIS7) and I havn't got any error.

Can you send me a working example project so I can debug and track the bug ?

 

Oct 21, 2010 at 8:16 AM
Edited Oct 21, 2010 at 10:28 AM

Since two weeks we have problems with MbCompression for WebResource.axd.

Initially everything works OK, but after some time or load (still unclear), all requests for WebResource.axd either result in "bad request" if machine key is specified or "forbidden" if not. I have not been able to reproduce the problem on my development machine or in our staging environment. However, it happens within 12h on our production server with moderate load.

My feeling is that some type of cache expires differently after the security updates... Or that the schema for how the URL-parameters are encrypted somehow is changed.

The may be some relevant information in the following article: http://support.microsoft.com/kb/2431728/ 

Below follows call-stack information from logged exceptions:


System.Web.HttpException : Unable to validate data.

System.Web

at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)
at System.Web.Security.MembershipProvider.DecryptPassword(Byte[] encodedPassword)    
at Miron.Web.MbCompression.EmptyMembership.DecryptString(String input) in C:\SDK\MbCompression\MbCompression_src\Utils\EmptyMembership.cs:line 47    
at Miron.Web.MbCompression.Util.DecryptString(String input) in C:\SDK\MbCompression\MbCompression_src\Utils\Util.cs:line 208    
at Miron.Web.MbCompression.WebResourceCompressionModule.GetDataFromQuery(NameValueCollection queryString) in C:\SDK\MbCompression\MbCompression_src\Modules\WebResourceCompressionModule.cs:line 307


System.Web.HttpException : Because your server does not support reflection or you set the attribute 'reflectionAlloweded="false"', You must specify a non-autogenerated machine key in your web.config to compress Webresource.axd 


MbCompression

at Miron.Web.MbCompression.WebResourceCompressionModule.ThrowHttpException(Int32 num, String SRName) in C:\SDK\MbCompression\MbCompression_src\Modules\WebResourceCompressionModule.cs:line 381
at Miron.Web.MbCompression.WebResourceCompressionModule.GetDataFromQuery(NameValueCollection queryString) in C:\SDK\MbCompression\MbCompression_src\Modules\WebResourceCompressionModule.cs:line 311
at Miron.Web.MbCompression.WebResourceCompressionModule.OnPreRequestHandlerExecute(Object sender, EventArgs e) in C:\SDK\MbCompression\MbCompression_src\Modules\WebResourceCompressionModule.cs:line 74
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Settings:

<CompressorSettings compressCSS="true" reflectionAlloweded="true" compressJavaScript="true" compressPage="true" combineCSS="true" combineHeaderScripts="true" compressWebResource="true" minifyContent="true" cachingStorage="OutputCache" autoMode="true" scriptsVersion="2" cssVersion="2">

 

Machine key is specified.


Workaround:

Currently we workaround the problem by disabling compression for WebResource.axd.

<!--<add name="WebResourceCompressionModule" type="Miron.Web.MbCompression.WebResourceCompressionModule, MbCompression"/>-->

Nov 2, 2010 at 1:10 PM

Same problem here on windows 2008 server and .net framework 4.0

:(

Nov 7, 2010 at 4:25 PM

Hello guys,

I couldn't generate the error you all got.

Can someone send me a sample project that this error apear ?

By now,  use the solution PontusN suggestd.

My email is: miron.abramson@gmail.com

 

 

Nov 9, 2010 at 7:38 AM

Hi all,

Since I can't simulate the problem,

Can someone try this:

Change the machine key in the web.config using any online tool as http://aspnetresources.com/tools/machineKey

and tell me if it helps

 

Thanks

Nov 9, 2010 at 8:01 AM

Hi!

Based on my investigation using Reflector there is a small difference in the implementations of encryption/decryptions between the two alternate code-paths used by MbCompression. The difference is in MS-code and was most likely introduced by the security update.

Judging from the exceptions I get, there could the problem be related to usage of reflection to call a non-public member...

Regards,
  Pontus

Nov 9, 2010 at 9:44 AM

Pontus,

Are you using your own servers or shared hosts (as GoDaddy) ?

 

Nov 9, 2010 at 9:48 AM

We use our own servers.

Nov 17, 2010 at 11:11 AM

I'm having the same problem

Nov 17, 2010 at 11:19 AM

I still have no solution for the error.

Temporary solution is to put this line in comment:

<add name="WebResourceCompressionModule" type="Miron.Web.MbCompression.WebResourceCompressionModule, MbCompression"/>

This will disable the webresource.axd compression while all the rest features will work as usual.

 

Jan 12, 2011 at 3:03 AM

After the Oracle Padding Attack Security Patch the Method Singnatures have changed,

Encryption of Web Resources Url is using this

MachineKeySection.EncryptOrDecryptData(false, buf, null, 0, buf.Length, ivType); where ivType is Hash

Decryption of Web Resources Url using DecryptPassword (Using a Dummy Membership Provider) is using this

MachineKeySection.EncryptOrDecryptData(false, encodedPassword, null, 0, encodedPassword.Length, IVType.None, false, false);

Hence encryption uses a IVType.Hash where as Decryption uses without IVType.None and hence does not work.

The Only thing which will work is using Reflection (Page.DecryptString) or without the patch being applied. (Godaddy still has not applied the patch to all their servers)

To Check if the Patch has been applied to the server, access the website using the following

http://[YourWebsite]/WebResource.axd?d=zt87v2JeCPKYzqUfGEffpA2

If the PATCH HAS BEEN APPLIED the error is

Server Error in '/' Application.

The resource cannot be found.

 If the PATCH HAS NOT BEEN APPLIED the error is

Server Error in '/' Application.

Padding is invalid and cannot be removed.

Feb 17, 2011 at 9:10 PM

This error is occurring on Win2k8 R2 (windows fully updated). The reports are that when it occurs it will continue until IIS is restarted. Using the link from the above poster I confirmed that the security update patch had been applied.

In our configuration the machine key has been explicitly applied to the web.config, and is a single server configuration.

NOTE: This error does not occur on every attempt to request the resource, I can confirm that the resource query string is valid and that there are many instances of IIS & MbCompression serving up the proper resource before this error occurs.


Exception information: 

Exception type: HttpException

Exception message: Unable to validate data. 

Stack trace:    at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)   at System.Web.Security.MembershipProvider.DecryptPassword(Byte[] encodedPassword)   at Miron.Web.MbCompression.Util.DecryptString(String input) in MbCompression\Utils\Util.cs:line 197   at Miron.Web.MbCompression.WebResourceCompressionModule.GetDataFromQuery(NameValueCollection queryString) in MbCompression\Modules\WebResourceCompressionModule.cs:line 307

Mar 16, 2011 at 10:15 AM

Hi,

I have encountered the same issues as mentioned above and I was wondering if there is any news on this issue since I really like this compression toolkit.

Regards,

Don Wibier

Apr 8, 2011 at 4:32 PM

Hi,

Just feeling quite pleased with myself for implenting this and getting some nice savings.

Then I read this!!!! So not too sure what to think. Is there some cache related nightmare waiting to happen or has it been fixed?

Regards,

Will

May 20, 2011 at 11:01 AM

Just put this line in comment:

<add name="WebResourceCompressionModule" type="Miron.Web.MbCompression.WebResourceCompressionModule, MbCompression"/>

This will disable the webresource.axd compression while all the rest features will work as usual.

Jun 24, 2011 at 11:58 AM

Possible solution for DecryptString error when using WebResource compression!

I have checked a bit on the WebResource compression errors after the security patch mentioned above and I have changed the following code in MbCompression\Utils\EmptyMembership.cs:

        internal string DecryptString(string input)
        {
            byte[] buf = HttpServerUtility.UrlTokenDecode(input);
            
            //********************************************************
            //* not working code !!
            //********************************************************
            //buf = DecryptPassword(buf);
            //********************************************************
            //* end of non-working code
            //********************************************************

            Type machineKeySection = typeof(MachineKeySection);
            Type[] paramTypes = new Type[] { typeof(bool), typeof(byte[]), typeof(byte[]), typeof(int), typeof(int) };
            MethodInfo encryptOrDecryptData = machineKeySection.GetMethod("EncryptOrDecryptData", BindingFlags.Static | BindingFlags.NonPublic, null, paramTypes, null);
            
            buf = (byte[])encryptOrDecryptData.Invoke(null, new object[] { false, buf, null, 0, buf.Length });
            return Encoding.UTF8.GetString(buf);
        }


If I turn the WebResourceCompressionModule back on in the web.config, and check things through firebug, the compression seems to work again (tested in dotNET v4).

It is a bit of a sneaky way of doing things and I'm also not sure if this runs on medium trust environments but I'm quite happy so far.

Regards,

 

Don Wibier