5

The Asp.Net Vulnerability and DotNetBlogEngine.Net

by Jon 20. September 2010 21:34

A FIX HAS NOW BEEN RELEASED BY MICROSOFT, download from here

Looking at ScottGu's Post and DotNetBlogEngine.Net configuration it looks like DotNetBlogEngine may be one of the Web applications that is vulnerable in the out of the box configuration (I'm not 100% sure and I cant find anyone on the dotnetblogengine forums about it).  Its still not especially clear but it looks like we need to take these steps to take to secure our blogs.  Better safe than sorry, until the underlying problem is fixed?

Replace the Custom Errors in Web.Config

<customErrors mode="RemoteOnly" defaultRedirect="~/error404.aspx" />
   <error statusCode="404" redirect="error404.aspx" />
</customErrors>

With

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/fail.aspx" />

 

Then Add a new File Called fail.aspx to the root folder:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

For more information on the Problem and details of the fix please look at scott's post

Tags: , ,

asp.net | BlogEngine | scottgu

0

BlogEngine.Net 1.6.1 Nows comes with added catchpa

by Jon 1. May 2010 18:53

Thank goodness, the comments on this blog have been covered in SPAM.  If you run a BlogEngine.Net blog upgrade to 1.6.1 as soon as you can, it will save you time deleting the same old comments again and again.  The question is how long will the catchpa hold the robots back, somone must be writing a robot that will read an enter data into a catchpa

Tags: , ,

BlogEngine

0

Nanos gigantium humeris insidentes

by Jon 8. March 2010 10:53

I have got round to getting a website and blog up and running the day after the Oscars, and although I haven't won any awards I still feel the need to thank everyone that have made it possible.  I am a developer at heart and just 5 or 10 years ago I would have been looking to chop the giant down at the waist and develop my own Blog software or develop a web app and using that instead of using else’s software.  Over the years I have come to the conclusion that what is the point, it is better to short circuit the development cycle, as long as the short circuit is worthy.  Software development is all about the customer or consumer and getting something developed as quickly as possible, which will exceed the customer’s requirements, this is the same for a simple blog.  If you can install a piece of software on a server you have saved yourself many hours which you can then dedicate to getting something else more productive done.  Of course I still need to be a dwarf, and the shoulder needs to be a good base; tweakable to exceed all my needs.  It’s all about getting things done, and that’s what this blog is about.I will be standing on the shoulders of many giants explaining how I get things done. It would be great to get and keep some readers but I don’t mind it only ends up being a simple brain dump of what is in my head, and things I get up to as a dotnet Developer/Manager.

Tags: , , , , , ,

development | General

Powered by BlogEngine.NET 2.0.0.36
Original Design by Laptop Geek, Adapted by onesoft, and finally some tiny tweaks by JonAlb