5

The Asp.Net Vulnerability and DotNetBlogEngine.Net

by Jon 20. September 2010 21:34

A FIX HAS NOW BEEN RELEASED BY MICROSOFT, download from here

Looking at ScottGu's Post and DotNetBlogEngine.Net configuration it looks like DotNetBlogEngine may be one of the Web applications that is vulnerable in the out of the box configuration (I'm not 100% sure and I cant find anyone on the dotnetblogengine forums about it).  Its still not especially clear but it looks like we need to take these steps to take to secure our blogs.  Better safe than sorry, until the underlying problem is fixed?

Replace the Custom Errors in Web.Config

<customErrors mode="RemoteOnly" defaultRedirect="~/error404.aspx" />
   <error statusCode="404" redirect="error404.aspx" />
</customErrors>

With

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/fail.aspx" />

 

Then Add a new File Called fail.aspx to the root folder:

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>

<script runat="server">
   void Page_Load() {
      byte[] delay = new byte[1];
      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);
      Thread.Sleep((int)delay[0]);
        
      IDisposable disposable = prng as IDisposable;
      if (disposable != null) { disposable.Dispose(); }
    }
</script>

<html>
<head runat="server">
    <title>Error</title>
</head>
<body>
    <div>
        An error occurred while processing your request.
    </div>
</body>
</html>

For more information on the Problem and details of the fix please look at scott's post

Tags: , ,

asp.net | BlogEngine | scottgu

0

Guathon 2010, London

by Jon 15. August 2010 01:57

Guathon is about to start

Four people chatting before the guathon starts...

Tags: , , , , , , ,

asp.net | Deploy | development | scottgu | vs2010 | WP7

0

It is Saturday evening and I have almost recovered from my Scott Guthrie induced migraine

by Jon 27. March 2010 23:39

Scott Guthrie

I think I have almost recovered and I can finally put some of the stuff I saw and learnt down on screen.  I have had my migraine since around 2pm yesterday, pain killers couldn’t hold it back.  It’s hardly a surprise as it was initiated by Scott Guthrie filling my brain with too much dotnet goodness. Who is this Scott Guthrie bloke anyway and how did all this all happen, and why don't I mind that much? 

Scott is a software developer, he wears a red polo shirt, but more importantly co wrote (yes wrote!), asp.net!  He was a founding member of .net itself and he is official title is ‘Corporate vice president of Microsoft's .NET Developer Platform’.  If you want to hear about dot net he is the bloke to listen to.  Scott was in the UK for two days to give two five hour sessions three of the projects that under his wings:

  • Visual Studio 2010 and asp.net 4
  • Asp.net Model View Controller (MVC)
  • Silverlight and Windows Phone 7 development

I went to the second Guathon which was held in Birmingham City Centre Odeon cinema yesterday.  It was an all day event; Scott did a mammoth five hour talk with only a couple of short breaks for a bite to eat or to grab a bottle of water.

Visual Studio 2010 and Asp.net 4

In the morning session Scott started by going over all the great improvements to visual studio, in brief vs2010 is a big improvement on vs2008, its faster, its easier to see your code, you have more customisation, you can run multiple monitors more effectively and there are lots of refactoring features that make making writing and changing code much quicker.  In summary it is much better, it is a no brainer even if you are going to continue to develop in anything from dotnet 2 and above.  Scott deep dived into vs2010 to show these features, and also demoed lots of improvements to dotnet and asp.net and beyond.

Asp.net Model View Controller (MVC)

This was the second time I saw a session on MVC, but this time I got it. Scott explained asp.net MVC really clearly, its quite a jump from traditional asp.net but I can see the massive improvements it will bring. Although MVC development turns development on its head you can see how code reuse is much more effective and when combined with entity framework 2 it will makes for a very agile development process.

Silverlight and Windows Phone 7 Development

Another fantastic session, it made developing Silverlight look very simple there are big improvements in vs2010 to the development environment to support Silverlight developers and make it less daunting. Windows phone 7 looks like a real iPhone killer, the min specs are a quad core ARM processor combined with a GPU! Windows phone 7 apps are Silverlight so they are quick and smooth and ready to develop. A twitter Silverlight app was developed from scratch and deployed to a phone within 5 minutes live on stage, very impressive.

Odeon Cinima in Birmingham filling up with dotnet developers for the Guathon
Odeon Cinima in Birmingham filling up with dotnet developers for the Guathon

Head Honcho ScottGu from Microsoft about to start one of his presentation at the Guathon
Head Honcho ScottGu from Microsoft about to start one of his presentation at the Guathon

In summary it was a fantastic event, and amazing considering it was free! A big thanks must go to Phil Winstanley for arranging and organising it.

Powered by BlogEngine.NET 2.0.0.36
Original Design by Laptop Geek, Adapted by onesoft, and finally some tiny tweaks by JonAlb