Being used by someone else RRS feed

  • Question

  • User279080766 posted

    It is obvious that someone is using my code to do something other than what it is designed for.  I get multiple (over fifty) Unhandled exceptions that read:

    An unhandled exception occurred in the lkwdfirstlions.org:

    Message: Conversion from string "http://www.municipioxii.it/sunny" to type 'Integer' is not valid.

    <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p> </o:p>

     Stack Trace:

       at Microsoft.VisualBasic.CompilerServices.Conversions.ToInteger(String Value)

       at DownloadEvent.ProcessRequest(HttpContext context) in c:\hosting\webhost4life\member\parley\Events_Download.ashx:line 23

       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    <o:p> </o:p>

    The code reads:

    17 Public Sub ProcessRequest(ByVal context As HttpContext) Implements IHttpHandler.ProcessRequest

    18 Dim response As Web.HttpResponse = context.Response

    19 Dim request As Web.HttpRequest = context.Request

    20 response.BufferOutput = True

    21 response.ContentType = "text/calendar"

    22 response.Cache.SetCacheability(HttpCacheability.NoCache)

    23 Dim EventID As Integer = CInt(request.QueryString("EventID"))


    24 Dim viewurl As New Uri(context.Request.Url, "Events_view.aspx?Eventid=" & EventID)

    25 writeCalEntry(eventid, response.Output, viewurl.ToString)


    26 response.End()

    28 End Sub


    Please help me close this hole.

    Monday, January 21, 2008 3:30 PM

All replies

  • User595841651 posted

    I get a number of the same issues every day in my logs (I'm not using that starter kit either).

    Basically, as I understand it, it's an attempt to auto-post to your site. There is some script out there that's pegging your site trying to find ways to (most likely) post ads/spam to the site. They find sites that pass params through the URL and try to exploit these.

    As long as no content makes it into your site you are most likely fine...

    Monday, January 21, 2008 3:49 PM
  • User-1563988197 posted

    Ah... this is simple, actually.

    You have to have an ID as the EventID and not a string (if you were to use this code). It looks like you need some logic to just terminate the cast in line 23 if the query string is not an integer. For that you might need a method that determines if the string is A) not null and B) can be casted as an integer. How about you try this:


    Public Shared Function IsInteger(ByVal sItem As String) As Boolean
      If sItem Is Not Nothing Then
      	Dim notIntPattern As New Regex("[^0-9-]")
      	Dim intPattern As New Regex("^-[0-9]+$|^[0-9]+$")
      	Return Not notIntPattern.IsMatch(sItem) AndAlso intPattern.IsMatch(sItem)
     	Return False
     End IF 	
    End Function
    Then you'll have to put in some If/Then logic to just handle if the response was out (use response.End() for the termination, else continue writing the event cal file)
    Tuesday, January 22, 2008 12:33 PM