ASP.NET Security Alert

by admin 19. September 2010 10:02

ASP.NET Security AlertEarlier this week, on the lead up to the ekoparty Security Conference in Argentina, a pair of security researchers announced that they would demonstrate an attack to exploit the way that ASP.NET handles encrypted session cookies.

I first learned of this on Wednesday, when someone posted a question on Stack Overflow. Since then, Microsoft have issued a security alert and Scott Guthrie has put out a blog post giving a full explanation of how this works and how it may affect you. Scott's post includes a link to a script you can run on your servers to identify vulnerable sites. In short, you need to have a <customErrors> section in your Web.Config file and map all errors to a single error page.

As reported here, the attack is 100% reliable; any ASP.NET website can be "owned" in seconds. The longest it takes is less than 50 minutes. Confirm with your bank that this has been remedied before logging into your account (ASP.NET sites)!

Update to Security Advisory 2416728 (09-20-2010)

FAQ about the ASP.NET Security Vulnerability - Scott Guthrie (09-21-2010)

Update on ASP.NET Vulnerability - Scott Guthrie (09-24-2010)

ASP.NET Security Update Shipping Sept 28th - Scott Guthrie (09-27-2010)

Microsoft Security Bulletin MS10-070 (09-28-2010)

ASP.NET Security Fix Now on Windows Updates - Scott Guthrie (09-30-2010)




N2 CMS

For some time now, I've been searching for a good ASP.NET Web Forms CMS. I had been working on a project with Sitefinity but they recently stopped supporting the free community edition and that took the sheen off it for me. In fairness to Telerik, they offered to provide free support for that project but I also found Sitefinity somewhat over-engineered and producing some pretty messy markup. I looked at Umbraco but its over-reliance on XSLT was a total turn-off. I've been criticized because as a developer I should embrace XSLT as an extra skill; well I do, and I choose not to use it when it's not needed or called for in a given situation.

Web Deployment Tool

The open source N2 CMS on CodePlex has been on my radar for a while now. There are both Web Forms and MVC versions available. I experienced some frustration in getting it up and running and vented my usual rants in the forums - but that's what they're for, right? ;-) I took one look at how the template code was created months ago and realized that was exactly what I was looking for. The documentation is lacking, but this is true of a lot of the projects on CodePlex, which is sad. That said, N2 is going to fill a glaring hole in the ASP.NET CMS market that has existed for a long time. Neither of Microsoft's efforts, MWPSK or Orchard, has gained a lot of traction or support in the community.

Installing Web Deployment Tool using Web Platform Installer

I'm going to outline the basic steps required to create a Web Forms version of the N2 CMS and how to import the downloaded zip file as a package in IIS7. The Web Deployment Tool gives us the ability to package our Web application or Web site as well as an associated database. The simplest aproach is to use the Web Platform Installer to install the Web Deployment Tool on your machine. Much thanks to Cristian Libardo for stepping me through this process.

If you haven't done so already, install the Web Platform Installer on your machine. After you run the MSI file, you should be able to see the WPI icon in IIS. Click on the icon and install the Web Deployment Tool. You should now be able to see a new Deploy panel in IIS with links to import and export site packages.

IIS Deploy Panel

Next step is to download the N2 Web Forms Template pack from CodePlex. You can save it anywhere convenient for now. Next, go to your wwwroot folder and create the top level empty folder for your new site. The N2CMS folder in the download will go directly under this top level folder. When you open IIS, you need to right-click on the new folder and select "Convert to Application".

Next, look to the new Deploy panel in IIS, in the actions column. Click on the "Import Application" link and use the wizard to pull in the zip file containing the downloaded project. If you are using SQL Server, you will need to be operating in mixed authentication mode. Create an account and password for site's DB and update the config file, I don't usually use a login when developing locally but the wizard insists on it; you can revert to integrated security afterwards, if you wish:

<connectionStrings>
    <remove name="N2CMS"/>
    <add name="N2CMS"        
        connectionString="Initial Catalog=CMS;Data Source=MYMACHINE;Integrated Security=SSPI;" providerName="System.Data.SqlClient"/>
</connectionStrings>

 

You should now be able to navigate to the new CMS site in your browser thus:

  http://localhost/mysite

 

You can use the "Export Server Package" to create a zipped file to deploy to your server. When on the server use the same steps as before for importing the zip file, and don't forget to update your Web.config file with the live DB login details.

Project Structure in VS 2008N2 CMS

 

As a developer I need to have the ability to easily customize the different areas of the site using CSS. You can access the CSS for the existing themes in the App_Themes folder and use one of these as the basis for creating your own theme. The related master pages can be located in the Templates/UI/Layouts folder. I am currently working on a new CMS site for our local Farmers Market and plan to use the Stripes theme as a starting point. My first task is to widen the layout to 960px, get rid of the logo and flags and adjust the column width to fit the new layout.

I may come back and post again on the customization steps for N2 :-)

UPDATE 08-22-2010:
SQL Server sripts can be obtained here.

 

kick it on DotNetKicks.com

Tags: , ,

ASP.NET | CMS




JQuery Menu Project I'm one of those people who completely reverted to server-side programming when confronted with the cross-browser compatability minefield in the late nineties. As part of the delusion, I convinced myself that browsers would eventually become fully object-oriented and that somehow justified my inertia. But over the past two years I have been stockpiling the JavaScript textbooks and had even started in on the basics... but let's face it, the JavaScript syntax, although flexible, is not the sexiest of creatures.

I recently introduced a JQuery menu into a website I am working on. Getting it working along with Visual Studio intellisense was a snap. It was only when I looked at the markup and the way that JQuery was interacting with the document elements that I experienced that well known "light goes on" moment.

JQuery used CSS3 (for the most part) selectors to reference the various document elements and totally abstracts away the browser incompatabilities of old. Wow! Now I blogged about JQuery before but my excitement then was mainly based on the VS intellisense available. I did not quite "get it". This library was the brainchild of John Resig and I'm now convinced that lowering the barrier to entry to this extent will bring a lot of creative server-side developers into the the RIA arena just when they are needed the most.

To get started, look at some of the basic tutorials and work through them. If you are using VS 2008 (or the Web Express version), then follow Scott Guthrie's steps for getting intellisense working in VS 2008; I installed the KB hotfix he mentions and dropped the vsdocs file into my js folder along with the JQuery library files and had no problems - very easy to do :-)

JQuery Menu

 

I came across a really slick menu on the Queness website and have adapted it to work with a regular ASP.NET master page. A download link to a working Web Application Project for this is provided below. The only thing I don't like is that the tab graphic has both the hover and non-hover images stacked one over the other in the same image. I would opt to change this by separating them out into separate files and update the CSS accordingly - examples of these menus are everywhere so you shouldn't have a problem with that. You can have it so that each menu tab will accomodate a text link with a different hover version. The key with this sample is making sure that the selectors in the markup match those referenced in the CSS and in the script.

Notes: JQuery Menu Sample with Master Page

  * 2.0 Web Application Project Template

  * Based on Queness menu but with 1.3.2 version of library and vsdocs added

  * CSS and markup have been tweaked to work with master page

  * Rounded corners have been commented out in markup as they looked pixelated - fixable

  * Change the hover background color for vertical links by altering script default of #888 

Resources

   * Check the original menu along with demo here.

   * Be sure to check out the JQuery UI Website!

   * What every developer should know about JQuery 

   * JQueryMenu.zip (115.39 kb)

kick it on DotNetKicks.com   411ASP.NET