Microsoft KB Archive/915382

= An ASP.NET application that is built on the .NET Framework 1.1 with Service Pack 1 may convert some symbols incorrectly =

Article ID: 915382

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft .NET Framework 1.1 Service Pack 1

-





SYMPTOMS
Consider the following scenario. You use a Microsoft ASP.NET application that is built on the Microsoft .NET Framework 1.1 with Service Pack 1 (SP1). In this ASP.NET application, you use non-Unicode encoding and the EnableBestFitResponseEncoding property. In this scenario, the ASP.NET application may convert some symbols incorrectly.

For example, when a symbol is not present in the single-byte code page, the encoder tries to match the symbol to the best possible graphical representation in the single-byte code page. This method is called best fit substitution. When the best fit mode is turned off, a symbol that is not present in the single-byte code page is replaced with a question mark (?). When the best fit mode is turned on, a harmless symbol may be converted into a potentially dangerous symbol. For example, a harmless symbol may be converted into the greater than sign (>) or into the less than sign (<).



CAUSE
This problem occurs when the EnableBestFitResponseEncoding property is set to true and you use non-Unicode encoding. This problem may let an attacker easily bypass the content restrictions and possibly expose the application to cross-site scripting and script injection attacks.

If the Web.Config file is similar to the following code example, this problem may occur.   



RESOLUTION
To resolve this problem, set the EnableBestFitResponseEncoding property to false in the ASP.NET application. Therefore, the best fit mode is turned off. To set the EnableBestFitResponseEncoding property to false, use the following code example.   



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
When the EnableBestFitResponseEncoding property is set to false in an ASP.NET application that is built on the .NET Framework 1.1 with SP1, an encoding object that is obtained from the Response.ContentEncoding property has limited capabilities. Additionally, you should not call the GetDecoder method for the object. We recommend that you use UTF-8 encoding to avoid this limitation. This limitation does not apply to an ASP.NET application that is built on the Microsoft .NET Framework 2.0.

Keywords: kbtshoot kbbug kbprogramming kbprb kbinfo KB915382

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.