Post New Web Links

Corrupt URL bypasses ASP.NET 2.0 customErrors settings

Posted By: Posted Date: September 13, 2010 Points: 0 Category :.NET Framework

A recent security scan of our website has identified a vulnerability which appears to be an issue with ASP.NET itself. By passing a seemingly innocuous yet malicious url the user will bypass the customError settings in the web.config and instead of getting a friendly error page, will see the "Server Error in '/' Application." error page. The underlying exception is: [HttpException (0x80004005): xxx is not a valid virtual path.] System.Web.VirtualPath.Create(String virtualPath, VirtualPathOptions options) +8855707 This is easily reproduced by creating a simple website project with a Default.aspx page, Error.aspx page and customErrors on pointing to the error.aspx page. Variations of the folllowing url will cause the undesired behavior. http://localhost/Default.aspx/%2fDefault.aspx%3ffree_text%3d This occurs on .NET 2.0, and 3.5, but run on .NET 4.0 it handles it as a 404 error. It appears that the bug has been fixed in 4.0, but I'm running 3.5. Has anyone seen this issue or have a solution? Just for curiousity it tried the same url on the following sites which exhibit the same bug. http://www.myspace.com/Default.aspx/%2fDefault.aspx%3ffree_text%3d https://www.discountasp.net/Default.aspx/%2fDefault.aspx%3ffree_text%3d

View Complete Post

More Related Resource Links

Convert English to Arabic number without changing any regional settings in .net

Well, most applications that I worked with was multilingual that supports English UI and Arabic UI.

And one of the major issue that we have faced is displaying Arabic numbers without the need of changing the regional settings of the PC.

So the code below will help you to display Arabic number without changing any regional settings.

validateRequest appears to be kicking in in MVC RC1 despite settings

After upgrading a project to the RC a System.Web.HttpRequestValidationException is thrown when posting a value containing HTML from a TextArea. I have checked that validateRequest=false in Views/web.config, and have set this in the application's root web.config. I have also created a fresh MVC project, created a simple view & controller and posted a simple html paragraph element with the same result. Call stack provided. [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (html="

hello world

").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8718538 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111 System.Web.HttpRequest.get_Form() +129 System.Web.HttpRequestWrapper.get_Form() +11 System.Web.Mvc.ValueProviderDictionary.PopulateDictionary() +113 System.Web.Mvc.ValueProviderDictionary..ctor(ControllerContext controllerContext) +74 System.Web.Mvc.ControllerBase.get_ValueProvider() +31 System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +53 System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +109 System.W

Web Deployment with IIS settings of remote server

Im trying to deploy a web application project (VS 2010) via team build (TFS 2010), i got to use IIS settings of development server for deployment. So from the project properties I configured the web projects to use Custom web server, (enabled radio button), once i do this the Option in the tab Package/Publish Web "Include all IIS Settings as configured in IIS manager" gets disabled and as a result the deployed web project does not have this IIS settings.

What am I missing here, Im not using the option "Use local IIS Web Server" because the build happens in a build server and would try to take local IIS settings for packaging which is not present.

If this is not possible, suggest me any workaround. Any help on this is greatly appreciated.

User Preferences: Manage User Settings in Your .NET App with a Custom Preferences API

There are plenty of options out there for managing user preferences including custom configuration files, the Windows registry, and the isolated storage. But each option has its pros and cons -- and a bad choice can make life difficult. In this article, the author evaluates various options and identifies the characteristics of a good preferences API. Based on those characteristics, he introduces an API that is specifically designed for preferences management, one that offers the best of all the options.

Ray Djajadinata

MSDN Magazine July 2004

C++ Q&A: Color Support, Console Apps, and Saving User Settings

Paul DiLascia

MSDN Magazine February 2004

Protect It: Safeguard Database Connection Strings and Other Sensitive Settings in Your Code

Protecting application secrets, such as database connection strings and passwords, requires careful consideration of a number of pertinent factors such as how sensitive the data is, who could gain access to it, how to balance security, performance, and maintainability, and so forth. This article explains the fundamentals of data protection and compares a variety of techniques that can be used to protect application settings. The author discusses what to avoid, such as hiding keys in source code and the use of Local Security Authority. In addition, he presents some effective solutions such as the Data Protection API.

Alek Davis

MSDN Magazine November 2003

Web Q&A: Detecting Security Settings, Printing from the WebBrowser Control, Hiding the Print Button,

Robert Hess

MSDN Magazine March 2001

Page layout list not displaying in page settings

I have 4 different custom page layouts in my publishing site at the site collection level. I have one site named "Services" in site collection. When i create page, i select one page layout from above 4. But when i go to the page settings of that page to change the page layout of it, i can see only one page layout which this page based on.

Problem is why all the page layouts not listing there? I checked "Page layout and site templates" settings from look and feel of Site Settings, this r set to "Pages in this site can use any layout".

Please help..!

Thanks in advance.

Regards

Sandip Patil

Sharepoint Developer

worldofsharepoint.com

Apply custom.master to "Site Settings" page?

I'm using a custom.master page, which is applied to almost all pages available to READ users.

However, I'd like to apply it to the Search, Site Settings, and View All Site Content pages.

I'm not sure where this would be applied.

Guidance much appreciated. Thanks!

If you have SharePoint Document Versioning Enabled, do you also use the retention settings?

I am looking for stats on how many environments are out there using document versioning in there libraries but are perhaps not selecting the retention settings. (e.g. "Optionally limit the number of versions to retain" section) This as we all know in SharePoint is a major cause of database growth.

Tony Parker, MSCE . MCTP. MCITP "Anything worth doing, is worth doing right"


Categories:

ASP.Net	Windows Application	.NET Framework	C#	VB.Net	ADO.Net
Sql Server	SharePoint	Silverlight	Others	All