I have a brand new Sitefinity 8 site I just created with basically all default settings, and I'm seeing bots submit requests that are causing the application to crash with the message:
ArgumentNullException: Value cannot be null.
at Telerik.Sitefinity.Security.Claims.ClaimsManager.ValidateUser(String username, String password)
at Telerik.Sitefinity.Security.Claims.ClaimsManager.TryParseBasicAuth(NameValueCollection values, User& user)
at Telerik.Sitefinity.Security.Claims.SitefinityClaimsAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I tracked down the issue by dumping the full request headers from the bad attempts, and it appears to be caused by the line "Authorization: Og==" but without any username/password headers being passed.
To reproduce the issue, I used Fiddler to compose a request with the following headers and tried with https://www.hurl.it/ by just adding a manual header of "Authorization: Og==".
Accept-Encoding: gzip,deflate, identity
Authorization: Basic Og==
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.4 (Ubuntu package 1.0.7)
For my setup, the security settings are all default except we've added a new membership provider for LDAP users (the same as the original LDAPUsers provider) and set the DefaultBackendMembershipProvider=our new one. That shouldn't have any impact on the public setup at all though.
Any idea how to make this type of bad request go through as normal? I need to prevent it from crashing, and without knowing the cause I'm worried there may be other related issues or vulnerabilities as well. Thanks!