Home > ASP.NET, IIS > Effects of MS11-100 on asp.net websites

Effects of MS11-100 on asp.net websites

On 29 Dec 2011, Microsoft released a security bulletin MS11-100 which attempts to resolve hash collisions vulnerabilities found in asp.net.


However if you have form pages with > 1000 elements, then you will encounter the following error (for asp.net)

System.Web.HttpException (0x80004005): The URL-encoded form data is not valid. —> System.InvalidOperationException: Operation is not valid due to the current state of the object.
at System.Web.HttpValueCollection.ThrowIfMaxHttpCollectionKeysExceeded()
at System.Web.HttpValueCollection.FillFromEncodedBytes(Byte[] bytes, Encoding encoding)
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.FillInFormCollection()
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

What is happening is that asp.net is now checking your Form posted data and if it exceeds a certain threshold it will throw the exception above.


To workaround this, what you can do is to put the following item inside appsettings

<add key="aspnet:MaxHttpCollectionKeys" value="10000" />


By default this value is 1000, but you are free to either limit or give it a larger value

Categories: ASP.NET, IIS
  1. March 16, 2012 at 11:52 pm

    Just ran into the same issue with ASP.NET MVC 3. Thanks for the tip!

  2. ashwini
    June 27, 2012 at 5:33 pm

    Does this affect any performance if set to large value?

    • June 27, 2012 at 5:48 pm

      not too much, it is actually more of a security measure. so just extend it to a reasonable amount so that it works for your site

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: