After applying MS11-100, an out-of-band security update for ASP.NET to mitigate an ASP.NET Denial of Service vulnerability, you may experience the following error comming from an .NET web application:
HttpException (0x80004005): The URL-encoded form data is not valid.
A requirement is having a large form with many form fields, more than 1000.
MS-11-100's summary is:
Microsoft security update MS11-100 limits the maximum number of form keys, files, and JSON members to 1000 in an HTTP request. Because of this change, ASP.NET applications reject requests that have more than 1000 of these elements. HTTP clients that make these kinds of requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code. This new limit can be configured on a per-application basis. Please see the "Resolution" section for configuration instructions.
ASP.NET requests that have lots of form keys, files, or JSON payload receive an error response from the server. The Application log on the server has a Warning entry with a Source that is a specific version of ASP.NET, and an Event ID of 1309.
To resolve this error (issue) you can increase MaxHttpCollectionKeys
on a per application basis in your web.config
file. As follows:
<appsettings>
<add key="aspnet:MaxHttpCollectionKeys" value="some number here"/>
</appsettings>
References:
Thank you very much! <3 ❤️
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.