<July 2008>
SunMonTueWedThuFriSat
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789

On this page...

Important Security Fix for ScrewTurn
nGallery TNG Update
nGallery Updated For ASP.NET 2.0
Xlinq Guestbook for VS 2008 RTM
XSS Detect Beta Code Analysis Tool
How ASP.NET began in Java
Really Simple Guestbook - With XLinq
Code Conversion and Code Formatting News
What's New in IIS7 Beta 3?
UpdateControls: UpdateHistory and AnimatedUpdatePanel
MVP Visual Developer - ASP/ASP.NET Again 2007
Spam in ASP.NET Viewstate?
MSDN Nuggets
AJAX Frameworks for ASP.NET Comparison
Talk Resources: ASP.NET Build Provider
Talk Resources: WF & ASP.NET
ASP.NET & Windows Workflow Foundation vNext
ASP.NET Atlas March CTP
Professional ASP.NET 2.0 Security, Membership, and Role Management
ImageCache, Take One
MVP 2006
32 Bit and 64 Bit on IIS
Google PageRank as a .NET Assembly
Next Week: ADC 2005 - Advanced Developers Conference
Fun with ASP.NET 2.0 Compilation
Issue Identified: Crashing Visual Studio 2005 for Fun
Code Converter for .NET 2.0 - Online, as well as Offline
Convert C# 2.0 Code to VB.NET 8.0
Crashing Visual Studio 2005 for fun
ASP.NET 2.0 Hosting Deployment Guide
Web applications and SMTP proxies don't mix well (it seems)
Web Deployment Projects
Telligent acquires Dozing Dogs CMS
Built to scale
Windows Server Codename Longhorn, Visual Studio 2005 Team System Beta 2, LINQ & Atlas
Debugging Web Applications using Web Development Helper
PDC05: Day Three, WE-SYP
PDC05: Atlas
PDC05: Day One in Review
ASP.NET 2.0 Security Practices at a Glance
Browse with... in Visual Studio 2005
Setting the port for the Visual Web Developer Web Server
Watch the ASP.NET 2.0 Presentations from TechEd 2005
Using Custom Attributes in the @Page Directive
Provider Toolkit
Localization and the ASP.NET 2.0 Profile
Membership Everywhere
Writing a Subversion-backed VirtualPathProvider for ASP.NET 2.0
Callbacks in ASP.NET 2.0
Adding auditing capabilities to SqlMembershipProvider
WEB428 @ TechEd Europe 2005
Using ASP.NET 2.0 authentication with a Classic ASP site
Community Bootcamp 2005 Fully Booked
Ajax.NET Library now on SourceForge
http://beta.asp.net Launch
Beta 2 Code Updates for "Introduction to ASP.NET 2.0"
Ultimately cool: ASP.NET Development Helper
Training CD: Microsoft ASP.NET Using Visual C# .NET
February CTP now available
Scott Guthrie - Talking ASP.NET and IIS 7.0, Part II
Web Services Enhancements (WSE) 2.0 SP3
Scott Guthrie - Talking ASP.NET and IIS 7.0
HttpOnly Cookies with ASP.NET 2.0
The AutoCompleteType Property
ASP.NET 2.0 Training
CodeHTMLer
Currently downloading: Exploring ASP.NET 2.0 Using Visual C# 2005
Conference Preparation
Microsoft ASP.NET v1.1 Member Management Component Prototype
HOL: WSE 2.0 Security
Web Services Enhancements (WSE) 2.0 SP2 for Microsoft .NET
Pluralsight Tools
ASP.NET 2.0 product design changes between Beta 1 and Beta 2
Making the ValidatePath HTTP Module easier to deploy
Microsoft ASP.NET ValidatePath Module
Security bug in .NET Forms Authentication
OWASP .NET Projects
MSDN TV: New Visual Studio Tools Features for Web Developers
Tour of Building 20 with Scott Guthrie
Beta 2 Special Directory Names Changes
Upcoming Changes to ASP.NET 2.0 in Beta 2
Book: Introducing Microsoft ASP.NET 2.0
Script Callbacks in ASP.NET
Validation Groups
ASP.NET 2.0 Quickstarts
Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

 Friday, February 08, 2008

Yesterday, we found ourselves at the receiving end of an attack against one of our German Wikis that are running the ScrewTurn Wiki software. Turns out that it was a security issue even with the then latest version 2.0.23. Dario Solera - the maintainer of ScrewTurn - acted real fast when I informed him about the root cause of the attack and released v2.0.24 yesterday night.

Please download and upgrade immediately! The issue is being actively exploited (zero day if you so will).

Categories: ASP.NET | Security | this | Use the source Luke
Friday, February 08, 2008 7:54:08 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Thursday, December 13, 2007

This is a bugfix release for the previously posted port of nGallery to ASP.NET 3.5. The following changes are incorporated:

  • Bugfix: slideshow had "photos/" hardcoded in nGalleryLib (for navigation buttons)
  • Bugfix: Event log exceptions, please see Get GoogleBot to crash your .NET 2.0 site (plus ASP.NET 2 + url rewriting considered harmful in some cases). Nicolas Sorel was nice enough to provide me with his .browser definition files.
  • Bugfix: default_highlight_image.jpg no longer resided in /photos and therefore caused an exception for galleries that had no highlighted image; moved it back to \photos
  • Change: AlbumHandler no longer implements IHttpHandler
  • Change: AssemblyInfo.cs changed version to 2.0 to differentiate from original 1.6.1

That's all the changes that happened, here are the source and deployment files:

nGalleryTNG2_ProjectFiles.zip (2.95 MB)
nGalleryTNG2_WebFiles.zip (1.03 MB)

Categories: .NET | ASP.NET | Use the source Luke
Thursday, December 13, 2007 11:42:52 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [4]

 



 Friday, November 30, 2007

I have posted an updated version

Given my plans to rather sooner than later upgrade my server to IIS7, I am currently switching all applications to ASP.NET 2.0 in preparation of this move. But there was nGallery, which I used all over the place when I needed a photo gallery...

Today I decided it was about time to do something about it, and gave converting nGallery to .NET 2.0 a try (actually all the projects target .NET Framework 3.5). Turns out it took me roundabout two hours for this whole endeavour. To save everybody else time, here is my VS2008 solution tree:

nGalleryTNG.zip (2.92 MB)

What is changed compared to the original nGallery 1.6.1 for ASP.NET 1.1? Here is a somewhat complete laundry list:

  • Converted it to a Web Application project
  • Placed all third party source code in the ThirdParty folder. That way I can always change and recompile if necessary.
  • Took all static images from the \photos directories and put them into \images. No more mixing the photo handler & photo cache with the Web site's images.
  • The album handler is now being abused in Application_BeginRequest, plus it now uses RewritePath. Fixes the darn Server.Transfer errors.
  • Moved the configuration of nGallery from the data folder to App_Data. Other than that: no configuration changes.

I did not switch to ASP.NET 2.0 master pages, it still uses the old user control approach. But after all, I only needed it in a working fashion for 2.0+.

Note: I only tested the XML-based storage because that's how I use nGallery. The SQL-storage has received no testing whatsoever!

Download Web site files only: nGalleryTNG_WebSite.zip (924.39 KB)

Categories: 2 Ohhhh | 3.5 | ASP.NET | Use the source Luke
Friday, November 30, 2007 3:07:36 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [11]

 

I posted a version of the Really Simple Guestbook - With XLinq for Orcas Beta 2 earlier on this blog. Today, I updated this small application for VS2008 RTM. The following changes are incorporated:

  • It is now a Web project, no longer file system based
  • It includes AIP for form spam protection (aka captcha)

I decided to not include the Microsoft Anti-Cross Site Scripting Library V1.5, that is up to the reader if additional security is required (note: you'd have to add this to AddEntry.aspx's logic of inserting new guestbook entries).

Download: XlinqGuestbook.zip (165.53 KB), License: BSD

Categories: .NET | 3.5 | ASP.NET
Friday, November 30, 2007 9:55:46 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Friday, November 02, 2007

XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths. Download

Categories: .NET | ASP.NET | Security | Visual Studio
Friday, November 02, 2007 12:51:21 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



 Tuesday, October 30, 2007

Article at The Register: How ASP.NET began in Java. Reminds me of the "C# is COOL" t-shirt I have...

Categories: .NET | ASP.NET
Tuesday, October 30, 2007 5:12:41 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Monday, October 15, 2007

Been on holidays, at conferences (eg last week Ask The Experts @ XTOPIA in Berlin), and worked on various projects - a couple of reasons it was rather quiet lately in this blog.

Yesterday I decided I needed a simple guestbook application for a to-be-developed private Web site, and because I didn't find anything that fit my needs I decided to write one myself with the goal of (ab)using XLinq in the course of this endeavour:

Guestbook_XLINQ.zip (7.09 KB)

Caveat emptor: I am no designer (surprise!). But thanks to no design it should be easy for you to add your own design. However, as this month's MSDN magazine is all about security, I decided to make the application production-ready security-wise. You'll find a lot of parsing plus XSRF protection (note: this version does not check for integer overflow in calculating the start row).

Missing features: this guestbook is not prepared for localization, nor does it use a control-based approach (where you drop those in your pages and get an in-place guestbook).

Update a version of this application for VS2008 RTM is available here.

Categories: 3.5 | ASP.NET | Security | Use the source Luke
Monday, October 15, 2007 8:56:36 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Thursday, May 24, 2007

I have been doing some sprucing up of SharpDevelop's Web offerings today - namely the code converter. Up until today, you only could convert syntactically valid classes. Recently, Daniel implemented the SnippetParser class, which is now in use for the snippet converter (C# to VB.NET, VB.NET to C#). Note: the Web service for code conversion does support both class and snippet conversion, a Windows client sample is available for the former.

Also new (just completed a few minutes ago) is the code formatter: it uses the highlighting engine from SharpDevelop's text editor to HTML-ize a bunch of formats: ASP/XHTML, BAT, Boo, Coco, C++.NET, C#, HTML, Java, JavaScript, Patch, PHP, TeX, VBNET, XML. Again, there is a Web service available, as well as a sample using the service. This offering is built upon the HtmlSyntaxColorizer sample that can be found in SharpDevelop revisions > 2522 (currently only on the build server)

I am sure that both the snippet converter as well as the code formatter are welcome additions. Spread the word! After all, it's free.

Thursday, May 24, 2007 9:06:07 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Thursday, April 26, 2007

Bill Staples put together a post on what's new in IIS7 Beta 3. He also talks about the all-new IIS7 FTP server (which I knew about for a long time - I had hoped Beta 3 would be available for my MSDN Briefing in Vienna last month, but no such luck). Also, he mentions the GoLive! license for IIS7.

Categories: .NET | ASP.NET | IIS | Longhorn
Thursday, April 26, 2007 11:20:02 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Tuesday, February 06, 2007

Nikhil has updated his controls for ASP.NET AJAX 1.0. Download here

Quote from his blog (so you know why you should go and download them):

  • UpdateHistoryThis is a non-visual control that allows you to add history entries to the browser's navigation stack selectively for some post-backs, and not for some others. This helps fix the back button to make it work, and allows you to implement Ajax patterns such as "logical navigation" and unique URLs.
  • StyledUpdatePanel A simple derived UpdatePanel that adds CSS class semantics. A simple addition, but a useful feature, nevertheless, that didn't make the feature cut.
  • AnimatedUpdatePanel Another derived UpdatePanel that displays new content using a variety of animations or effects: slides, wipes, cross-fades as well as a visual highlight. This allows you to implement the "visual notification" Ajax patterns such as the one second spotlight and one second mutation.
Categories: ASP.NET | Cool Download
Tuesday, February 06, 2007 12:59:52 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Wednesday, January 03, 2007

I have been re-awarded MVP for Visual Developer ASP/ASP.NET.

Categories: ASP.NET | Community | this
Wednesday, January 03, 2007 10:37:47 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [2]

 



 Wednesday, November 22, 2006

I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:

Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information:

PersistedState: a
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Mailer: EMUmail 4.5
Subject: jam n
bcc: <list of addresse removed by me />
comes from the loin in the middle of the back of the pig. t is a lean meaty 
cut of bacon, with relatively less fat compared to other cuts. iddle bacon
is much like back bacon
 
 
 
daa6c5071189f202ceb370d0e9d38c33
.

Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.

Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.

Categories: ASP.NET | Security
Wednesday, November 22, 2006 9:47:35 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Wednesday, November 08, 2006

From the nuggets page: Don't have the time to read a 10-page how-to article or watch a full length webcast? Try an MSDN Nugget, a webcast that takes you step-by-step to discovering new functionality or exploring a hot developer topic, all in 10-15 minutes. If you haven't seen this yet, check it out!

Categories: .NET | ASP.NET | BCL | Training and Conferences
Wednesday, November 08, 2006 3:04:26 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Wednesday, June 21, 2006

Today, Daniel held a talk comparing AJAX frameworks for ASP.NET. He limited the scope to indirect frameworks, which means: those AJAX frameworks extend ASP.NET, and you don't necessarily need to know much about AJAX. On his Web site, you will find a comparison of AJAX frameworks for ASP.NET (direct as well as indirect).

Wednesday, June 21, 2006 1:42:50 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Tuesday, June 20, 2006

As promised, here is the list of links / articles / samples that I used for preparing my talk "Build Provider in ASP.NET 2.0":

Hope you will find those useful.

Categories: 2 Ohhhh | ASP.NET | this | Training and Conferences
Tuesday, June 20, 2006 12:14:32 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Monday, June 19, 2006

Half an hour ago, I completed my talk "Windows Workflow Foundation & ASP.NET 2.0". As promised, here is the list of links to sites / documents that I used to prepare this talk & accompanying samples.

Also, see my last post on ASP.NET PageFlow CTP. This was the last part on "future technologies".

Update A foto from my talk on Monday (debugging a workflow in ASP.NET):

Monday, June 19, 2006 10:39:07 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [1]

 



 Tuesday, June 13, 2006

Yesterday night, I watched a WebCast from TechEd Boston - "An Overview of ASP.NET and Windows Workflow Foundation". What this innocuous title hid was the fact that Kashif Alam (PM in the Developer Division) was presenting vNext features for ASP.NET workflow integration: Page flow (PageFlow) as well as UI flow (UIFlow), plus the accompanying extensibility model.

What do those two separate approaches provide? Well, you get MVC (model-view-controller) support for same-page (UIFlow) as well as cross-page (PageFlow) scenarios. Pretty neat was the included "Choosing the right solution" slide to get an idea what's in store:

Task <asp:wizard...> PageFlow UIFlow
Single page x x
Multiple pages x
State when close browser x x
Integrate with Enterprise WF x x
Client support x x
Built-in navigation UI x
Extensibility to other controllers x x

As developers, we will get our hands on this later this year in the form of the "ASP.NET PageFlow CTP" (at least that's the current name), and it will be deployed with Orcas.

Categories: .NET | ASP.NET | Tri 0 | Workflow Foundation
Tuesday, June 13, 2006 7:28:38 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Monday, March 20, 2006

It is has landed, you can download the Atlas March CTP here. More information on Atlas itself can be found on the official Atlas site.

Categories: ASP.NET | Cool Download
Monday, March 20, 2006 6:18:11 PM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Sunday, February 19, 2006

On my flight to Seattle today (or yesterday, depending on the time zone) I started to read Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow. The book definitely is a must-have for every ASP.NET developer, even if you decide to read one chapter only: A Matter of Trust (#3). This one will save you loads of time when you have to deploy an application into non-full trust environments. However, the other chapters are worthwhile too, like #2 which details exactly which identity is used when by what part of the engine. Bottomline: highly recommended reading.

Categories: .NET | 2 Ohhhh | ASP.NET | Books | Security
Sunday, February 19, 2006 9:21:00 AM (W. Europe Standard Time, UTC+01:00)  #    Comments [0]

 



 Wednesday, January 18, 2006

Yesterday, I picked up on an old code piece of mine - sending images to the client via an HttpHandler. Why in the world would you implement that with a handler when there is http.sys kernel mode caching? Well, I had a few unique constraints:

  • the images had to live outside the Web root and any of its vroots
  • the image names had to be concealed because the naming would give away information, and renaming the images prior to publishing on the Web was out of the question

Now, a common approach to sending images from a certain directory (leaving requirement #2 by the wayside for the moment) would be this:

image.aspx?image=iamthebest.jpg

So what is wrong with this approach? First and foremost using an ASP.NET page. The page lifecycle is a drain on performance and throughput, because you simply don't need it. That sorts out why I chose to go with an HTTP handler.

Secondly, somebody could DOS your server. You heard me right. For the background, check the article Trap Alert: Files that aren't. A .NET version (managed C++) of this checker can be found in this download (the article Dateityp-Ermittlung in Managed C++ is only available in German).

How do you get around this issue? Well, how about reading the directory up front, and instead of having the filename in the URL, send the hash! When the image is requested, take the hash and look up the corresponding file, presto. In addition you get one security feature for free: no directory traversals can be hidden in your code.

When I uncovered the code yesterday, I decided to rewrite it for more general use. So what do you get?

  • The ImageCacheControls project: it contains the ImageCache class, which does most of the heavy lifting. In addition, you get an ImageCacheControl server control, as well as the implementation of the HTTP handler. (Don't forget to check out the Readme.txt for the latest on feature set and known issues)
  • The Web project: a rather simple Web site with demo files in it. The file I want to direct your attention to is Image.ashx. This is the one file - aside from the control project binaries - that needs to be copied to your projects to get started with ImageCache. Note that I made it easy to work with C# (default) or VB.NET.

Usage of ImageCache is demonstrated in default.aspx.cs plus the source code of default.aspx (design time of the control does not work, known issue).

The code behind looks like this (CreateMapping loads the directory contents, initializes the hash to file name map, stores it into the cache):

using ChrisOnNET.ImageCache;

public partial class _Default : System.Web.UI.Page
{
   protected void Page_Load(object sender, EventArgs e)
   {
      // normally, this would be done in global.asax
      ImageCache.CreateMapping("demo", Server.MapPath("~/TestImages/"));

      // the DIY approach to rendering the image tag
      string testHash = ImageCache.GetHashForFile("026.jpg", "demo");
      Response.Write("<image src=\"Image.ashx?bucket=" +
         "demo" +
         "&image=" +
         Server.UrlEncode(testHash) +</