Gridding .NET : October 2004

October 2004 - Posts

3 milion ASP.NET sites

so reports Netcraft at http://news.netcraft.com/archives/2004/10/07/aspnet_security_flaw_can_bypass_password.html

posted Sunday, October 24, 2004 1:04 PM by stefandemetz with 0 Comments

Paul Thurrott writes at http://www.winnetmag.com/Article/ArticleID/44294/Windows_44294.html that Monad will be available on Longhorn Server. I hope that Monad will ship much much earlier as a "go-live" Beta2/3 with Whitbey and Yukon.

posted Sunday, October 24, 2004 12:37 AM by stefandemetz with 1 Comments

new Monad drop (better late than never)

forgot to post it a while (20 September) ago !!

http://www.sellsbrothers.com/news/showTopic.aspx?ixTopic=1518
http://sqljunkies.com/WebLog/nielsb/archive/2004/09/21/4291.aspx
http://blog.jondavis.net/articles/ID_MonadGettingNewDropSoon_jfzJxBvfBgdnsAjWnFSj.aspx

posted Sunday, October 24, 2004 12:33 AM by stefandemetz with 2 Comments

3 "Must read" SQL SERVER blogs

Bob Beauchemin (rss)
www.scalabilityexperts.com (rss)
NielsBerglund (rss)

posted Saturday, October 23, 2004 11:56 PM by stefandemetz with 0 Comments

Whidbey/ASP.NET 2.0 update

ScottGu's excellent post at http://weblogs.asp.net/scottgu/archive/2004/10/23/246709.aspx

posted Saturday, October 23, 2004 10:06 PM by stefandemetz with 0 Comments

IE Security

IE is definitely the most insecure gateway to a PC. So I was thinking: why not run it in a guest account context?

It would be easy for MS to replace some code in IEXPLORE.EXE to run the least priviledge account when loading the associated dlls.

Another good trick would be to replace the shortcuts on the desktop and programs to launch IE with a RUNAS \

some good links:

http://blogs.msdn.com/tristank/archive/2004/08/02/204982.aspx

http://sqljunkies.com/WebLog/donkiely/archive/2004/07/29/3680.aspx

http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx

http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/175488.aspx

Articles (+runas code utilities)

http://www.codeproject.com/tips/runas.asp

http://www.codeproject.com/csharp/RunAs.asp

least privilege:

http://weblogs.asp.net/gad/archive/2004/01/24/62539.aspx

http://weblogs.asp.net/rhurlbut/archive/2004/07/08/177271.aspx

Longhorm least privilege

http://silverstr.ufies.org/blog/archives/000612.html

http://msdn.microsoft.com/library/en-us/dnlong/html/leastprivlh.asp

http://msmvps.com/secure/archive/2004/04/27/5572.aspx

http://msmvps.com/donna/archive/2004/04/28/5584.aspx

http://geekswithblogs.net/ssimakov/archive/2004/04/23/4230.aspx

http://geekswithblogs.net/dwoodard/archive/2004/04/27/4443.aspx

http://channel9.msdn.com/ShowPost.aspx?PostID=5187

http://channel9.msdn.com/ShowPost.aspx?PostID=8399

posted Saturday, October 23, 2004 1:23 PM by stefandemetz with 1 Comments

RSS issues

some very good stuff from Werner Vogels, Director of Systems Research

posted Sunday, October 17, 2004 9:09 PM by stefandemetz with 0 Comments

favorite classes in .NET 2.0

reject a user/web request with following classes IPAddressRestriction
IPDomainRestriction
IPRestriction
IPRestrictionCollection
IPSecurity

to insert lots of stuff fast into sql server use (using some funnel pattern):

SqlBulkCopy
SqlBulkCopyColumnMapping
SqlBulkCopyColumnMappingCollection

posted Saturday, October 16, 2004 6:39 PM by stefandemetz with 1 Comments

World's largest known commercial database > 500 TB

read on

http://www.eweek.com/article2/0,1759,1677521,00.asp

posted Saturday, October 16, 2004 5:50 PM by stefandemetz with 0 Comments

Myth debunking: SQL Server vs MySQL security 2003-2004(SQL Server has less bugs !!)

MS SQL Server (or MSDE) vs MySQL

Seems that yet again a MS product has less bugs that the corresponding LAMP product (here are unscientific reports for ASP.NET vs PHP and IIS6 vs APACHE)

MSSQL 2003 12
MySQL 2003 12 + 1 multiple (2003-10-30: MySQL Multiple Vulnerabilities )

MSSQL 2004 3
MySQL 2004 8

Am sure everybody will get (yet again) into splitting hairs as which is more or less secure, depending on
lines of code, number of installations, Service Packs vs latest build, etc etc

This is the list:

2004-10-07: MySQL MaxDB WebDBM Server Name Denial of Service Vulnerability
2004-09-30: MySQL Unspecified Insecure Temporary File Creation Vulnerability
2004-09-27: MySQL Bounded Parameter Statement Execution Remote Buffer Overflow Vulnerability
2004-09-07: MySQL Mysqlhotcopy Script Insecure Temporary File Creation Vulnerability
2004-07-08: MySQL Authentication Bypass Vulnerability
2004-07-05: MySQL Password Length Remote Buffer Overflow Vulnerability
2004-05-25: MySQL MYSQLD_Multi Insecure Temporary File Creation Vulnerability
2004-05-25: MySQL Aborted Bug Report Insecure Temporary File Creation Vulnerability
2003-11-24: MySQL Password Handler Buffer Overflow Vulnerability
2003-10-30: MySQL Multiple Vulnerabilities
2003-09-18: MySQL mysqld Privilege Escalation Vulnerability
2003-09-18: MySQL Double Free Heap Corruption Vulnerability
2003-07-22: MySQL AB ODBC Driver Plain Text Password Vulnerability
2003-06-12: MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability
2003-05-12: MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
2003-05-05: MySQL Weak Password Encryption Vulnerability
2003-03-07: MySQL Control Center Insecure Default File Permission Vulnerability

2004-08-24: Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability
2004-04-14: Microsoft Remote Procedure Call Service DoS Vulnerability
2004-04-07: Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipes Privilege Escalation Vulnerability
2003-07-25: Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipe Denial Of Service Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Multiple Vulnerabilities
2003-07-15: Microsoft SQL Server JET Database Engine 4.0 Buffer Overrun Vulnerability
2003-06-16: Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability
2003-06-04: Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Server 7.0/2000 DBCC Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Agent Jobs Privilege Elevation Vulnerability
2003-02-01: Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability
2003-01-27: Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability
2003-01-25: Microsoft SQL Server 2000 Bulk Insert Procedure Buffer Overflow Vulnerability

(Figues provided by http://www.securityfocus.com/bid/vendor/)

posted Monday, October 11, 2004 8:59 PM by stefandemetz with 2 Comments

IIS 6 security wins approval

Larry Seltzer, one of my preferred journos, hails IIS 6 security at http://www.eweek.com/article2/0,1759,1666134,00.asp
Netcrafts reports good stuff at http://news.netcraft.com/archives/2004/10/01/most_reliable_hosting_providers_during_september.html of IIS 6 security, reliability and stability

As I also posted at http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/03/30/10388.aspx IIS 6 security is very good indeed

IIS vs Apache
http://weblogs.asp.net/pscott/archive/2003/12/17/44103.aspx
http://blogs.msdn.com/jvast/archive/2004/10/19/244587.aspx
http://www.lparky.com/blog/FirstGlanceAtIIS6.aspx
http://blogs.msdn.com/paul_fallon/archive/category/5979.aspx
http://chrison.net/IIS60VsApache20xSecurityDefects.aspx

posted Tuesday, October 05, 2004 9:08 PM by stefandemetz with 2 Comments

ASP.NET authentication security bug in IIS4/IIS5(ASP.NET on IIS6 Windows 2003 is not affected)

As written here

http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754

http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx

http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237042.aspx
http://weblogs.asp.net/ksamaschke/archive/2004/10/02/237055.aspx

Solutions:
1)Here is some code for a httpmodule to obviate to the problem
http://blogs.devleap.com/rob/archive/2004/10/02/1803.aspx
http://www.mostlylucid.co.uk/archive/2004/10/07/1396.aspx

2)PLEASE PLEASE PLEASE install for IIS4/IIS5:
URLSCAN : http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
IIS Lockdown tool: http://www.microsoft.com/technet/security/tools/locktool.mspx

posted Saturday, October 02, 2004 9:59 PM by stefandemetz with 14 Comments

Download manager in C# with BITS (Background Intelligent Transfer Service)

Download Manager in C#

I' ve used the wrapper of the Background Intelligent Transfer Service (BITS) from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/WinXP_BITS.asp, the tecnology behind Automatic Windows Updates and modified the given sample winforms app slightly to allow adding new items to download.

It is very simple, but to work , you need to download and install the .MSI from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/WinXP_BITS.asp and add Microsoft.Msdn.Samples.BITS.dll as refrence in VS.

You can find the code at http://www.xpertdotnet.com/code/Form1.cs.txt

some links with BITS (Background Intelligent Transfer Service)

http://www.kbcafe.com/iBLOGthere4iM/?guid=20040904223316
http://weblogs.asp.net/sbchatterjee/archive/2003/06/12/8585.aspx
http://dotnetjunkies.com/WebLog/demiliani/archive/2004/08/26/23309.aspx
http://weblogs.asp.net/mikehall/archive/2004/07/11/180144.aspx
http://pensieve.thinkingms.com/CommentView,guid,3cbfe252-63b5-47da-a27a-74de0d79a6a7.aspx

posted Saturday, October 02, 2004 8:06 PM by stefandemetz with 1 Comments

export datagrid to excel

this code can be run outside of page, or can be converted to run in and extended datagrid control

imports System.Drawing
Imports System.Web.UI
Imports System.Web.UI.WebControls

Namespace demetz

Public Class DemExportGridExcel

        Sub RenderGridToExcelFormat(ByVal grid As DataGrid, ByVal saveAsFile As String)
            ' check Excel rows limit
            If grid.Items.Count.ToString + 1 < 65536 Then
                HttpContext.Current.Response.Clear()
                HttpContext.Current.Response.ContentType = "application/vnd.ms-excel"
                HttpContext.Current.Response.AddHeader("content-disposition", "attachment;filename=" & saveAsFile & ".xls")
                ' Remove the charset from the Content-Type header.
                HttpContext.Current.Response.Charset = ""
                'HttpContext.Current.Response.WriteFile("style.txt")
                ' Turn off the view state.
                grid.EnableViewState = False
                Dim tw As New System.IO.StringWriter()
                Dim hw As New System.Web.UI.HtmlTextWriter(tw)
                ' Get the HTML for the control.
                grid.HeaderStyle.ForeColor = Color.Black
                grid.HeaderStyle.BackColor = Color.Red
                grid.ItemStyle.ForeColor = Color.Black
                grid.BorderColor = Color.White
                ClearControls(grid)
                grid.RenderControl(hw)
                ' Write the HTML back to the browser.
                HttpContext.Current.Response.Write(tw.ToString())
                ' End the response.
                HttpContext.Current.Response.End()
            Else

                HttpContext.Current.Response.Write("Too many rows - Export to Excel not possible")
            End If
        End Sub

        Sub ClearControls(ByVal control As Control)
            Dim i As Integer
            For i = control.Controls.Count - 1 To 0 Step -1
                ClearControls(control.Controls(i))
            Next i

            If TypeOf control Is System.Web.UI.WebControls.Image Then
                control.Parent.Controls.Remove(control)
            End If

            If (Not TypeOf control Is TableCell) Then
                If Not (control.GetType().GetProperty("SelectedItem") Is Nothing) Then
                    Dim literal As New LiteralControl()
                    control.Parent.Controls.Add(literal)
                    Try
                        literal.Text = CStr(control.GetType().GetProperty("SelectedItem").GetValue(control, Nothing))
                    Catch
                    End Try
                    control.Parent.Controls.Remove(control)
                Else
                    If Not (control.GetType().GetProperty("Text") Is Nothing) Then
                        Dim literal As New LiteralControl()
                        control.Parent.Controls.Add(literal)
                        literal.Text = CStr(control.GetType().GetProperty("Text").GetValue(control, Nothing))
                        control.Parent.Controls.Remove(control)
                    End If
                End If
            End If
            Return
        End Sub 'ClearControls

End Class

End Namespace

posted Friday, October 01, 2004 10:06 AM by stefandemetz with 2 Comments

Gridding .NET

Search

Archives

News

Navigation

Post Categories

DECATEC

.NET Consulting

BizTalk

Sharepoint

tekkie blogs

friends & family

Cool Sites

FeedMap

Monad Blogs

Other Blogs

UserGroups