Crash when certain URL params introduced. ACF works fine

We are trying to switch from ACF to Lucee and are doing some extensive testing. Something very strange happening with the following URL params. They crash any page as soon as we pass them there params:
https://domain-name/anypage.cfm?b=a<a&c=x
OR
https://domain-name/anypage.cfm?b=a<a&c=x

The crash result is:


Server Error in ‘/’ Application.

Runtime Error

Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a “web.config” configuration file located in the root directory of the current web application. This tag should then have its “mode” attribute set to “Off”.

`


<system.web>

</system.web>
`

Can I ask the community to test this querystring on any of your pages and let me know if you get the same error.

We even tried it on a folder with a blank application.cfm and still the same result. Our setup is Windows 2012 R2, latest version of Lucee.

This is an XSS validation exception being thrown by IIS because of the <a characters in the URL query string. Here’s the full detail:

A potentially dangerous Request.QueryString value was detected from the client (b=“a<a”).

Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (b=“a<a”).

To prevent it and let Lucee handle XSS instead you can modify your web.config:

<configuration>
  ...
  <system.web>
    <httpRuntime enableVersionHeader="false" requestValidationMode="2.0" /><!-- requestValidationMode="2.0" means don't validate XSS  -->
  </system.web>
</configuration>

Thanks so much for your quick response. We tried your suggestion and it worked. Thanks again.

On the connected subject of blocking certain url params I came across this excellent post of how to do it using apache: https://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/

Well worth the read.

[edit]
and there’s more! (quote from the author) I am serious about site security. Nothing gets my juices flowing like the thought of chopping up mindless cracker whores into small, square chunks and feeding their still-twitching flesh to a pack of starving mongrels
https://perishablepress.com/the-perishable-press-4g-blacklist/

Andrew