The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘ASP.NET’ Category

« Previous Entries
Next Entries »

Great session on how to prevent SQL Injection Myths and Fallacies

Posted by jpluimers on 2012/08/15

A few weeks ago, Bill Karwin did a must watch webinar on the prevention SQL Injection titled  “SQL Injection Myths and Fallacies“.

Bill Karwin (twitter, new blog, old blog, Amazon) is famous for much work in the SQL database community, including InterBase/Firebird, mySQL, Oracle and many more.

He also:

Anyway, his webinar is awesome. Be sure to get the slides, watch the replay, and read the questions follow up.

Watching it you’ll get a better understanding of defending against SQL injection.

A few very valuable points he made: Read the rest of this entry »

Posted in .NET, .NET 3.5, .NET 4.5, .NET ORM, ASP.NET, Batch-Files, C#, C# 1.0, C# 2.0, C# 3.0, C# 4.0, C# 5.0, C++, Cloud Development, COBOL, CommandLine, Database Development, Delphi, Delphi for PHP, Delphi x64, Delphi XE2, Development, EF Entity Framework, F#, Firebird, FireMonkey, History, InterBase, iSeries, Java, JavaScript/ECMAScript, Jet OLE DB, LINQ, LLBLGen, MEF, Microsoft Surface, Mobile Development, PHP, PowerShell, Prism, Scripting, SharePoint, SilverLight, Software Development, SQL, SQL Server, SQL Server 2000, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, SQL Server 7, VB.NET, VBS, Visual Studio 11, Visual Studio 2002, Visual Studio 2003, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, Visual Studio and tools, Web Development, Windows Azure, WinForms, WPF, XAML, xCode/Mac/iPad/iPhone/iOS/cocoa | 1 Comment »

.NET/C#: reading/writing Excel workbooks and worksheets

Posted by jpluimers on 2012/06/06

Basically there are many ways to read/write Excel workbooks and worksheets:

  1. Use the open source EPPlus .NET assembly (which is based on ExcelPackage)
  2. Use the open source ExcelLibrary which seems to be derived from PHP ExcelWriter
  3. Use OleDB to read/write Excel with either the JET (Office <= 2003) or ACE (Office +> 2007) drivers
  4. Use COM/OleAutomation/Interop/VSTO

The latter is used by many many people, and has two big drawbacks:

  • it requires Excel to be installed
  • it is painfully slow

The others can run server side as they do not require Excel to be installed. They are also much faster.

I’ve used OleDB, and it is sort of OK, but hard work.

EPPlus is much faster and versatile and seems to be the most active open source project.

–jeroen

Posted in .NET, .NET 4.5, ASP.NET, C#, Development, Excel, Office, Software Development | 2 Comments »

More vulnerabilities solved than just the ASP.NET hash collision DoS: Microsoft Security Bulletin MS11-100 – Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)

Posted by jpluimers on 2011/12/29

In addition to the ASP.NET hash collision Denial of Service attack, Microsoft patches 3 more vulnerabilities resulting in an Aggregate Severity Rating that is Critical.

This is a summary of the vulnerabilities. Please read the full MS11-100 bulletin for more details and how to download and install the patches.

Vulnerability Severity Rating Maximum Security Impact Affected Software CVE ID
Important Denial of Service Collisions in HashTable May Cause DoS Vulnerability CVE-2011-3414
N/A or Moderate N/A or Spoofing Insecure Redirect in .NET Form Authentication Vulnerability CVE-2011-3415
Critical Elevation of Privilege ASP.Net Forms Authentication Bypass Vulnerability CVE-2011-3416
Important Elevation of Privilege ASP.NET Forms Authentication Ticket Caching Vulnerability CVE-2011-3417

The CVE-2011-3415 is N/A in .NET 1.1, and Moderate in all other .NET versions.

–jeroen

via Microsoft Security Bulletin MS11-100 – Critical : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420).

Posted in .NET, ASP.NET, C#, Development, Software Development, VB.NET, Visual Studio and tools | Tagged: , , , , , | Leave a Comment »

Many more web platforms vulnerable to the hash collision attack (not only ASP.NET) #28C3 @hashDoS #hashDoS @ccc

Posted by jpluimers on 2011/12/29

When writing my Patch your ASP.NET servers ASAP early this morning, I didn’t have time to research the full extend of the vulnerabilities published at 28C3 (slides, mp4), though a small bell was ringing a message that I had seen something like it before earlier this century.

I was right, this posting on perlmonks direct me to a /. posting in 2003 pointing me to the research paper on low-bandwidth attacks based on hash collisions (pdf version) that I had seen before. Perl 5.8.1 fixed it September 2003 (search for “hash” in that link).

The attack can be used for DoS because a normal distributed hash table insert of n elements will be running O(n), but a carefully crafted insert of those elements will run O(n^2).

Carefully crafting a worst case scenario depends on how well you can predict collisions in the underlying hash table implementation, which – apparently – is not too difficult, and requires little bandwidth.

Many platforms and languages are vulnerable (already archived at the WayBack machine), including those based on Java, Tomcat, .NET, Ruby, PHP and more in greater or lesser extent. I have the impression that the list only includes big names, but presume platforms based on smaller names (ASP, Delphi, Objective C) are equally vulnerable.

Just read the articles on CERT 903934, oCERT 2011-003Arstechnica, Cryptanalysis.euHeise (German), Hackillusion and the research paper published at 28C3.

a few quotes:

“This attack is mostly independent of the underlying Web application and just relies on a common fact of how Web application servers typically work,” the team wrote, noting that such attacks would force Web application servers “to use 99% of CPU for several minutes to hours for a single HTTP request.”

“Prior to going public, Klink and Wälde contacted vendors and developer groups such as PHP, Oracle, Python, Ruby, Google, and Microsoft. The researchers noted that the Ruby security team and Tomcat have already released fixes, and that “Oracle has decided there is nothing that needs to be fixed within Java itself, but will release an updated version of Glassfish in a future CPU (critical patch update).”

“The algorithmic complexity of inserting n elements into the
table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request”

“We show that PHP 5, Java, ASP.NET as well as v8 are fully vulnerable to this issue and PHP 4,
Python and Ruby are partially vulnerable, depending on version or whether the server
running the code is a 32 bit or 64 bit machine.”

Microsoft seems to have been notified pretty late in the cycle, I presume because the researchers started with a some platforms and finally realized the breath of platforms involved.

The ultimate solution is to patch/fix the platforms using for instance a randomized hash function a.k.a. universal hashing.

Microsoft will provide a patch for ASP.NET later today, Ruby already patched and other vendors will soon or have already (please comment if you know of other platforms and patches).

The links this morning indicated there were no known attacks. That is (maybe was) true for ASP.NET, but for PHP a public proof of concept of such a DoS is has been published by Krzysztof Kotowicz (blog) with sources at github and a demo html page.

Temporary workarounds (based on the some of the links in this and the prior blog post, and the workarounds mentioned here and here):

  1. If you can: replace hash tables by more applicable data structures
    (I know this falls in the for-if anti-pattern category, but lots of people still use a hammer when a different tool works much better)
  2. Limit the request size
  3. Limit the maximum number of entries in the hash table
  4. Limit form requests only for sites/servers/etc that need it.
  5. Limit the CPU time that a request can use
  6. Filter out requests with large number of form entries

Some platforms already have applied temporary workarounds (I know of Tomcat (default max 10000 parameters), and PHP (default max_input_vars = 1000) did, and looks like the ASP.NET fix will do too).

Other platforms (like JRuby 1.6.5.1, CRuby 1.8.7 (comments) and Perl 5.8.1 in September 2003 ) fixed it the proper way.

Note: workarounds are temporary measures that will also deny legitimate requests. The only solution is to apply a fix or patch.

A major lesson learned today for a few people around me: when vendors start publishing “out of band” updates, do not trust a single 3rd party assessment with state “initial investigation”, but be diligent and do some further research.

–jeroen

PS: Just found out that most Azure users won’t need to manually apply a fix: just make sure your Hosted Service OS servicing policy is set to “Auto”.

Posted in .NET, ASP.NET, C#, Cloud Development, Delphi, Development, Java, PHP, Ruby, Scripting, Software Development, Web Development, Windows Azure | 6 Comments »

Patch your ASP.NET servers ASAP: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog

Posted by jpluimers on 2011/12/29

Quotes:

The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET.  We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible.

Attacks such as these are not specific to any particular language or operating system. Presenters at the security conference discussed how to cause them using standard HTTP form posts against several different web frameworks (including ASP.NET). Because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach. We strongly encourage customers to deploy the update as soon as possible.

The security update we are releasing on Thursday, December 29th updates ASP.NET so that attackers can no longer perform these attacks. The security update does not require any code or application changes.

During the 28e Chaos Communication Congress in Germany, on December 28, 2011 a security vulnerability was showed that potentially can DOS many types of web servers (including ASP.NET) with a carefully crafted 100 kilobyte plain HTTP form post request.

Information on the ASP.NET vulnerability was published by Microsoft on December 27, 2011.

ASP.NET on all supported .NET versions (1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5 SP1, 4.0) on all supported Windows versions (XP, Server 2003 and R2, Vista, 7, Server 2008 and R2) are affected.

Since the vulnerability as being very severe, Microsoft will publish an out of band fix today (December 29, 2011) at around 10 AM Pacific time (during winter, this 1800 UTC) on Windows Update, Windows Server Update and the Microsoft Download Center followed 3 hours later by a webcast at 01 PM Pacific time (2100 UTC).

More about about 28C3 in German.

–jeroen

via: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog.

Posted in .NET, ASP.NET, Development, Software Development | 1 Comment »

How to Get Paths and URL fragments from the HttpRequest object

Posted by jpluimers on 2011/05/12

There are many ASP.NET HttpRequest properties.

Sadly, the MSDN documentation does not have many examples telling you which property maps to which portion of the URL.

So it usually is a big fight extracting the sub portions you need.

Luckily, Steve Lautenschlager has the How Do I Get Paths and URL fragments from the HttpRequest object? article online.
The article has a table with the properties and portions of the URL that end up in those properties.

Really neat, as it saves a lot of time.

–jeroen

Posted in .NET, ASP.NET, Development, Software Development | Leave a Comment »

Martin Kulov’s Blog: Any CPU vs. x86 vs. x64

Posted by jpluimers on 2011/05/11

Thanks to Martin Kulov’s Blog: Any CPU vs. x86 vs. x64 I got a reference to a great article explaining this in more detail.

The obvious points are 1., 2. and 3., but it is 4..7 that makes the article really worth reading.

–jeroen

PS: a few more relevant links

http://stackoverflow.com/questions/247098/x64-net-compilation-process-explorer-oddity

http://stackoverflow.com/questions/311158/why-doesnt-the-corflags-utility-warn-when-marking-x64-assemblies-as-x86

Posted in .NET, ASP.NET, C#, Development, Software Development | Leave a Comment »

DealExtreme uses ASP.NET

Posted by jpluimers on 2011/05/03

It is always fun to see error messages on web-sites; they reveal a lot about the technology they use.

For instance, DealExtreme – a very popular site to order electronics and gadgets from the far east – uses ASP.NET.

They have verbose logging enabled, which even includes a warning to turn it off in production sits, as per this comment in the page source:

This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode=”Off”/>. Consider using <customErrors mode=”On”/> or <customErrors mode=”RemoteOnly”/> in production environments.

This is the full text, indicating they use .NET 2.0 and SQL Server with connection pooling (which is a good thing), and the BLToolkit extensions, Callbacks, a separation of Business Logic and Data Abstraction (BLL, DAL/DAO) probably using Spring.net and Data Binding by calling BindData() in stead of DataBind().

Server Error in ‘/’ Application.

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server)

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server)

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)]
   System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) +578
   System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +88
   System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +6265031
   System.Data.SqlClient.SqlConnection.Open() +258
   BLToolkit.Data.DbManager.ExecuteOperation(OperationType operationType, Action operation) +64
[DataException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)]
   BLToolkit.Data.DbManager.OnOperationException(OperationType op, DataException ex) +176
   BLToolkit.Data.DbManager.ExecuteOperation(OperationType operationType, Action operation) +135
   BLToolkit.Data.DbManager.OpenConnection() +91
   BLToolkit.Data.DbManager.get_Connection() +42
   BLToolkit.Data.DbManager.OnInitCommand(IDbCommand command) +31
   BLToolkit.Data.DbManager.get_SelectCommand() +28
   BLToolkit.Data.DbManager.GetCommand(CommandAction commandAction, CommandType commandType, String sql) +18
   BLToolkit.Data.DbManager.PrepareCommand(CommandAction commandAction, CommandType commandType, String commandText, IDbDataParameter[] commandParameters) +91
   BLToolkit.Data.DbManager.SetCommand(CommandAction commandAction, CommandType commandType, String commandText, IDbDataParameter[] commandParameters) +51
   BLToolkit.Data.DbManager.SetCommand(String commandText, IDbDataParameter[] commandParameters) +25
   DealExtreme.Mall.Common.DAL.DAO.BLToolkitExtension.CategoryAccessor.GetAll() +168
   DealExtreme.Mall.Common.BLL.CategoryBL.CategoryLogic.GetAllCategory() +53
   DealExtreme.Mall.Common.Caching.ProductCaching.CategoryCache.GetAllCategories() +9
   DealExtreme.Mall.Common.Caching.ProductCaching.BLToolkitExtension.CategoryCache.GetAllCategories() +433
   DealExtreme.Mall.Search.BLL.SearchLogic.GetSearchedCategory(String request) +255
   DealExtreme.Mall.Search.Web.Search.BindData() +416
   DealExtreme.Mall.Search.Web.Search.Page_Load(Object sender, EventArgs e) +16
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +25
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +42
   System.Web.UI.Control.OnLoad(EventArgs e) +132
   System.Web.UI.Control.LoadRecursive() +66
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428


[SqlException]: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
at System.Data.SqlClient.SqlConnection.Open()
at BLToolkit.Data.DbManager.ExecuteOperation(OperationType operationType, Action operation)
[DataException]: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
at BLToolkit.Data.DbManager.OnOperationException(OperationType op, DataException ex)
at BLToolkit.Data.DbManager.ExecuteOperation(OperationType operationType, Action operation)
at BLToolkit.Data.DbManager.OpenConnection()
at BLToolkit.Data.DbManager.get_Connection()
at BLToolkit.Data.DbManager.OnInitCommand(IDbCommand command)
at BLToolkit.Data.DbManager.get_SelectCommand()
at BLToolkit.Data.DbManager.GetCommand(CommandAction commandAction, CommandType commandType, String sql)
at BLToolkit.Data.DbManager.PrepareCommand(CommandAction commandAction, CommandType commandType, String commandText, IDbDataParameter[] commandParameters)
at BLToolkit.Data.DbManager.SetCommand(CommandAction commandAction, CommandType commandType, String commandText, IDbDataParameter[] commandParameters)
at BLToolkit.Data.DbManager.SetCommand(String commandText, IDbDataParameter[] commandParameters)
at DealExtreme.Mall.Common.DAL.DAO.BLToolkitExtension.CategoryAccessor.GetAll()
at DealExtreme.Mall.Common.BLL.CategoryBL.CategoryLogic.GetAllCategory()
at DealExtreme.Mall.Common.Caching.ProductCaching.CategoryCache.GetAllCategories()
at DealExtreme.Mall.Common.Caching.ProductCaching.BLToolkitExtension.CategoryCache.GetAllCategories()
at DealExtreme.Mall.Search.BLL.SearchLogic.GetSearchedCategory(String request)
at DealExtreme.Mall.Search.Web.Search.BindData()
at DealExtreme.Mall.Search.Web.Search.Page_Load(Object sender, EventArgs e)
at System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e)
at System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
[HttpUnhandledException]: Exception of type 'System.Web.HttpUnhandledException' was thrown.
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.search_aspx.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Version Information: Microsoft .NET Framework Version:2.0.50727.4952; ASP.NET Version:2.0.50727.4955

Posted in .NET, ASP.NET, C#, Development, Software Development | Leave a Comment »

Visual Studio 2010: some entries in the Error List are not Errors, Warnings or Messages, but are still indicating a problem

Posted by jpluimers on 2011/04/06

The below message in my Error List is not an error: it has a red exclamation mark, which falls outside the category Error (Red bullit with white cross), Warning (Yellow triangle with black exclamation mark) or Message (White bullet with blue lowercase i).

Bit it is still indicatint something was wrong:

1 Failed to copy project output to file C:\tfs.root\MyServiceApplication\ClientBin\MySilverlight.Client.Test.xap. Access to the path ‘C:\tfs.root\MyServiceApplication\ClientBin\MySilverlight.Client.Test.xap’ is denied. 0 0 MyServices

What it indicates is that the .xap file is readonly, and cannot be overwritten.

The reason is that during checkin in TFS, by accident all the .XAP files were added (by default, .XAP files are not on the binary exclusion list), and I found the answer in this thread.

At the end of the build process, the above message disappeared, but the .XAP file was not replaced, so the project output was not up-to-date.

Ergo: the build should have failed.

The solution was simple:

  1. Remove the .XAP files from TFS
  2. Delete the read-only .XAP files from disk
  3. Rebuild

Now Visual Studio 2010 can regenerate the .XAP files and your project output is correct again.

NB: .XAP files can be in two places, be sure to check both:

  1. The bin\debug or bin\release folder of a SilverLight project
  2. The ClientBin folder of an ASP.NET web project

–jeroen

 

Posted in .NET, ASP.NET, Development, SilverLight, Software Development | Leave a Comment »

telerik/razor-converter: Tool for converting WebForms Views to Razor (C# Only) – GitHub

Posted by jpluimers on 2011/02/16

Does this finally end the ASP.NET WebForms days?

Tool for converting WebForms Views to Razor C# Only

–jeroen

via: telerik/razor-converter – GitHub.

Posted in .NET, ASP.NET, C#, Development, Software Development | Leave a Comment »

« Previous Entries
Next Entries »