March 2004 - Posts

Myth debunking: ASP.NET security -> less vulnerabilities than open source PHP (ASP.NET 2 - PHP 27) -since ASP.NET release

ASP.NET vs PHP: ASP.NET is way more secure

from http://www.securityfocus.com/bid/vendor/ (sorry, no direct link to below) as of March 31st, 2004

 

ASP.NET

  2004-03-08:  Multiple Vendor HTTP Response Splitting Vulnerability
  2003-11-14:  Microsoft ASP.NET Request Validation Null Byte Filter Bypass Vulnerability

PHP

 2004-03-24:  PHP openlog() Buffer Overflow Vulnerability
  2003-11-07:  PHP emalloc() Unspecified Integer Overflow Memory Corruption Vulnerability
  2003-11-07:  PHP wordwrap() Heap Corruption Vulnerability
  2003-09-24:  PHP4 Multiple Vulnerabilities
  2003-09-24:  PHP4 Base64_Encode() Integer Overflow Vulnerability
  2003-08-25:  PHP Transparent Session ID Cross Site Scripting Vulnerability
  2003-08-13:  PHP Mail Function ASCII Control Character Header Spoofing Vulnerability
  2003-08-13:  PHP Function CRLF Injection Vulnerability
  2003-08-13:  PHP DLOpen Memory Disclosure Vulnerability
  2003-07-17:  PHP Undefined Safe_Mode_Include_Dir Safemode Bypass Vulnerability
  2003-06-08:  PHP STR_Repeat Boundary Condition Error Vulnerability
  2003-06-08:  PHP array_pad() Integer Overflow Memory Corruption Vulnerability
  2003-06-04:  PHP PHPInfo Cross-Site Scripting Vulnerability
  2003-05-19:  PHP Post File Upload Buffer Overflow Vulnerabilities
  2003-05-07:  PHP SafeMode Arbitrary File Execution Vulnerability
  2003-04-14:  PHP MySQL Safe_Mode Filesystem Circumvention Vulnerability
  2003-03-26:  PHP socket_recvfrom() Signed Integer Memory Corruption Vulnerability
  2003-03-26:  PHP socket_recv() Signed Integer Memory Corruption Vulnerability
  2003-03-25:  PHP socket_iovec_alloc() Integer Overflow Vulnerability
  2003-02-19:  PHP CGI SAPI Code Execution Vulnerability
  2003-01-08:  PHP 4.0.3 IMAP Module Buffer Overflow Vulnerability
  2002-09-07:  PHP Header Function Script Injection Vulnerability
  2002-08-08:  PHP HTTP POST Incorrect MIME Header Parsing Vulnerability
  2002-07-22:  PHP Interpreter Direct Invocation Denial Of Service Vulnerability
  2002-04-25:  PHP posix_getpwnam / posix_getpwuid safe_mode Circumvention Vulnerability
  2002-03-21:  PHP Move_Uploaded_File Open_Basedir Circumvention Vulnerability
  2002-02-08:

some good ASP.NET posts:

http://weblogs.asp.net/jnadal/archive/2004/03/04/83829.aspx
http://weblogs.asp.net/hernandl
http://weblogs.asp.net/vsdata/archive/2004/03/04/83767.aspx
http://weblogs.asp.net/cnagel/archive/2004/03/09/86878.aspx
http://weblogs.asp.net/jezell/archive/2004/03/15/90045.aspx
http://weblogs.asp.net/jezell/archive/2004/03/15/90045.aspx
http://blogs.patchadvisor.com/bryan/archive/2004/02/01/239.aspx

 

posted Wednesday, March 31, 2004 8:25 PM by stefandemetz with 0 Comments

Myth debunking: IIS6 security better(less bugs) than Apache in last 11 month(IIS 11 - Apache 30)

from http://www.securityfocus.com/bid/vendor/ (sorry, no direct link - you have to do the counting yourself)

IIS6 security is even better  !!

IMHO, Trustworthy Computing IS paying off

 

check out here why ASP.NET is more secure than PHP

good IIS posts:

http://weblogs.asp.net/pscott/archive/2003/12/17/44103.aspx
http://weblogs.asp.net/emaino/archive/2004/02/20/77424.aspx
http://discuss.fogcreek.com/newyork/default.asp?cmd=show&ixPost=3987
http://weblogs.asp.net/rwlodarc/archive/2003/04/10/5288.aspx
http://weblogs.asp.net/mszCool/
http://weblogs.asp.net/sushilasb
http://weblogs.asp.net/gad/archive/2003/10/11/31610.aspx
http://weblogs.asp.net/ssadasivuni/posts/23886.aspx
http://blog.monstuff.com/
http://www.jdhodges.com/links/1872/
http://www.hatch.org/blog/2002/04/16/apache_20_beats_iis_at_its_own_game.php
http://joeyeng.myftp.org/blog/entry.asp?BlogID=154
http://www.forta.com/blog/index.cfm?mode=e&entry=1175

 

 

 

posted Tuesday, March 30, 2004 7:36 PM by stefandemetz with 1 Comments

ASP.NET Overtakes JSP and Java Servlets

http://news.netcraft.com/archives/2004/03/23/aspnet_overtakes_jsp_and_java_servlets.html
posted Thursday, March 25, 2004 2:38 AM by stefandemetz with 0 Comments

Database scalability - How scalable is MS SQL Server ?

Today I got news: a joint venture of my employer will merge it's IT operations into ours. What does it mean to me?My largest DB table goes from 100 million to 500 million rows. What can I make to improve MS SQL Server database scalability?

Good things for database scalability:

  • do the right indexes(avoiding autocounters if possible)
  • partition tables' data
  • put old data ointo separate table (archive)
  • distribute DB, Temps DB and Transaction logs to different filegroups 
  • distribute above to hard drive partitions
  • use nolock, readpast and/or READUNCOMMITTED where possible
  • shift processing of some data to out of business hours times

To avoid:

  • triggers
  • cursors
  • PK-FK relations (CHECK constraints are cheaper)

for SQL Server 64 bit database scalability check out:

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/01/21/5853.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/16/13724.aspx

 

posted Thursday, March 04, 2004 10:23 PM by stefandemetz with 2 Comments

Will Yukon be slower than SQL Server 2000?

Update: read SQL Server 2005 first case study

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13091.aspx

 

http://searchdatabase.techtarget.com/qna/0,289202,sid13_gci952955,00.html

posted Tuesday, March 02, 2004 10:30 AM by stefandemetz with 17 Comments