Developping for the translation industry RSS 2.0



 Wednesday, September 29, 2010

This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week. 

From Scott Guthrie’s blog post we learn that the update should not require any code or configuration change to your existing ASP.NET applications. Also, if you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.

If you want to apply the update right now, you can go to the microsoft download center and download it. The update will also be released in the next scheduled Windows Update and Windows Server Update.

Other posts

19 great tips to enhance your SQL Server security

Intro to LDAP injection

The LoginProperty function in SQL Server 2005

Google Translator Hacked

SQL Injection joke

Wednesday, September 29, 2010 10:41:59 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | Security
 Wednesday, September 22, 2010

String-format-cheat-sheet

I don’t understand why but it seems that I can never remember the .NET string format syntax.

Then I found this. A very nice two-pager cheat-sheet containing all you need to know about the string format syntax.

Download it here.

 

Other posts:

How to: Use Active Directory to authenticate users

Sorting strings for real people - A human-friendly IComparer

How to set NTFS permissions using C#

How to restart a Windows service using C#

How to get the list of object modifications in SQL Server

Wednesday, September 22, 2010 9:44:16 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET
 Wednesday, September 15, 2010

Seen on Visual Studio Magazine

Two security researchers, Thai Duong and Juliano Rizzo, have discovered a bug in the default encryption mechanism used to protect the cookies normally used to implement Forms Authentication in ASP.NET. Using their tool (the Padding Oracle Exploit Tool or POET), they can repeatedly modify an ASP.NET Forms Authentication cookie encrypted using AES and, by examining the errors returned, determine the Machine Key used to encrypt the cookie. The process is claimed to be 100 percent reliable and takes between 30 and 50 minutes for any site.

Once the Machine Key is determined, attackers can create bogus forms authentication cookies. If site designers have chosen the option to embed role information in the security cookie, then attackers could arbitrarily assign themselves to administrator roles. This exposure also affects other membership provider features, spoofing protection on the ViewState, and encrypted information that might be stored in cookies or otherwise be made available at the client.

While the exposure is both wide and immediate, the fix is simple. The hack exploits a bug in .NET's implementation of AES encryption. The solution is to switch to one of the other encryption mechanisms -- to 3DES, for instance. Since encryption for the membership and roles providers is handled by ASP.NET, no modification of existing code should be required for Forms Authentication.

The encryption method can be set in the web.config file for a site, in IIS 7 for a Web server, or in the config file for .NET on a server in %SYSTEMROOT%\Microsoft.NET\Framework\version\CONFIG\. On 64-bit systems, it must also be set in %SYSTEMROOT%\Microsoft.NET\Framework64\version\CONFIG\. A typical entry would look like this:

    <machineKey validationKey="AutoGenerate,IsolateApps"         
                           validation="3DES"                           
                           decryptionKey="AutoGenerate,IsolateApps"
                           decryption="3DES" />  

On a Web farm, this setting will have to be made on all the servers in the farm.

These settings are also used to prevent spoofing (ViewState data is encoded but not encrypted), so making this change will also switch the ViewState to using 3DES. Developers who are using AES in their code to encrypt information made available at the client should consider modifying their code to use a different encryption mechanism.

 

Other Posts:

Google instant makes searching for God harder

Tabnabbing: A New Kind Of Phishing Attack

Big news in security: 1024-bit RSA encryption cracked!

Tips to enhance your SQL Server security

What is LDAP injection?

Wednesday, September 15, 2010 8:35:36 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | News | Security
 Monday, November 23, 2009

I use log4net in every applications I build that needs to have some sort of log. 

Most of the examples on the log4net site puts the configuration right in the App.config/Web.config file for the example application. Since they are simply example and not real-life scenarios, that’s not necessarily the best way to do it. For example, you may have a single log4net.config that you want to use in several projects or you simply want to stick log4net.config somewhere else to make those config files more readable.

The magic bit that at least I can't easily find and always forget is:

If you add an appSettings key called "log4net.Config" you can put an app-relative path to an external log4net.config file in there and everything will automatically configure itself using that.

It looks like this:

<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="log4net.Config" value="log4net.config" />
  </appSettings>
</configuration>

That example puts the log4net.config file right in the root of the application. You could specify "config/log4net.config" to put it in a "config" subfolder. You don't even have to call the XmlConfigurator.Configure method or mark your assembly with an XmlConfiguratorAttribute or anything. Some voodoo magic happens in the background and it just works.

 

Other posts :

How to enumerate the Domain Controllers in the current Domain in C#

How to Create User Accounts in Active Directory using C#

How to restart a Windows service using C#

How to set NTFS permissions using C# 2005

Monday, November 23, 2009 10:21:14 AM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | General | Tools
 Wednesday, May 21, 2008

At my company, we have a windows service, built in C#, that makes automatic modifications to Active Directory groups. This process use the function call “FindAll()” from the System.DirectoryServices.DirectorySearcher class.

It seems that the SearchResultCollection returned by the FindAll method can’t release it’s unmanaged resources by itself, so you need to call explicitly the Dispose() method.

From MSDN:

Due to implementation restrictions, the SearchResultCollection class cannot release all of its unmanaged resources when it is garbage collected. To prevent a memory leak, you must call the Dispose method when the SearchResultCollection object is no longer needed.

 

Wednesday, May 21, 2008 2:54:00 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET
 Tuesday, May 06, 2008

This code example sets the permission to create files and update them in a folder for a particular user but doesn’t propagate these permissions to the subfolders.

 

using System.Security.AccessControl;

 

System.IO.DirectoryInfo folderInfo = new System.IO.DirectoryInfo(folder);

DirectorySecurity folderSecurity = folderInfo.GetAccessControl();

 

FileSystemAccessRule rule =

      new FileSystemAccessRule(

      "Domain\\username",

      FileSystemRights.ReadAndExecute |

        FileSystemRights.AppendData |

        FileSystemRights.CreateFiles |

        FileSystemRights.Write,

      InheritanceFlags.ObjectInherit,

      PropagationFlags.None,

      AccessControlType.Allow);

 

folderSecurity.AddAccessRule(rule);

folderInfo.SetAccessControl(folderSecurity);

Tuesday, May 06, 2008 5:52:15 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | C# | Code Snippet
 Wednesday, December 19, 2007

Jeff Atwood recently posted on the topic of sorting strings in a more natural order that the default string sorting gives us.  His main point is, when we’re dealing with numbers, a simple alphabetic sorting doesn’t cut it.

So. just for fun, here’s my little C# 2.0 Implementation of a more human-friendly sorter.

 

public class FriendlySorter<T> : IComparer<T>

{

    public int Compare(T x, T y)

    {

        if (x == null || y == null) return 0;

        if (x.ToString() == y.ToString()) return 0;

 

        string[] left = Regex.Split(x.ToString(), "([0-9]+)");

        string[] right = Regex.Split(y.ToString(), "([0-9]+)");

 

        int index = 0;

 

        while (true)

        {

            while (left[index] == right[index]) index++;

 

            if (left.Length == index && right.Length == index) return 0;

            if (left.Length <= index) return -1;

            if (right.Length <= index) return 1;

 

            try

            {

                return (int.Parse(left[index]) - int.Parse(right[index]));

            }

            catch

            {

                int CompareResult = String.Compare(left[index], right[index]);

                if (CompareResult != 0) return CompareResult;

            }

 

            index++;

        }

    }

}

 

The following code :

List<string> list = new List<string>();

 

list.Add("Track 1 : abc");

list.Add("Track 2 : abc");

list.Add("Track 10 : abc");

list.Add("Track 5 : abc");

list.Add("Track 11 : abc");

list.Add("Track 22 : abc");

list.Add("Track 9 : abc");

 

list.Sort(new FriendlySorter<string>());

 

Will produce the results :

Sshot-4

For small sets the performance is Ok.  But when dealing with a larger amount of data (1000+ items), the sorting performance drops a lot (I currently have 5 seconds to sort 1000 random elements).  I will probably try to enhance it in the future and update this post.

Happy holidays !

Tags:
Wednesday, December 19, 2007 6:42:12 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
.NET | C# | Code Snippet
 Wednesday, October 03, 2007

It’s simply amazing! Scott Guthrie announced today that the .NET framework source code is going to be released later this year.  He says it will be released at the same time that Visual Studio 2008 and the 3.5 Framework are going to be released.  This means that you will be able to drill down inside the framework when debugging your applications in Visual Studio 2008.

This is a bold move from Microsoft’s part by any standards.  I think the motivation behind this release is two-fold:

1. This seems to be part of a larger company-wide politic to show to developers that Microsoft genuinely care about them.

2. They also need to work with the flow.  More and more, tools like Lutz Roeder’s .NET Reflector (a utility and Visual Studio plugin to decompile and visualize .NET assemblies) are becoming popular and the Framework is, for all intent and purposes, already opened and ripped apart.  I look at classes of the framework myself using this tool from time to time.

All that being said, this is really great news and I can’t wait to play with this and see the internals of the framework “in action”.

Click here to view the full article from Scott.

If you don’t know who Scott Guthrie is..  Well he’s the team leader for :

  • IIS
  • ASP.NET
  • The AJAX Toolkit
  • The CLR
  • The Compact Framework
  • Windows Forms
  • Commerce Server
  • Visual Web Developer 2005
  • Visual Studio Tools for WPF

In others words, if you love your job as a programmer using Microsoft’s technologies, it’s because of this guy.

Tags: ,
Wednesday, October 03, 2007 2:37:44 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
General | .NET | News

Navigation
Advertisement
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2014
Stanislas Biron
Sign In
Statistics
Total Posts: 135
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2014, Stanislas Biron