Tag Archives: security
Posted in: Programming by Steve on September 29, 2010
Getting constant feedback on the health of your system is always a great thing. In rails, you can install a gem called autotest that can run your tests as you change your application and let you know if you have broken anything.
All you have to do is start a terminal window, and type “autotest”. That’s it! You get instant feedback on your tests!
Posted in: Programming by Steve on September 28, 2010
Scott Guthrie announced on his blog that a fix from Microsoft will be available for download sometime today, and that the fix will be available through Windows Update in the coming week(s)
Please make sure to update your servers.
Update (3:00 PM)
Scott Guthrie has a post on all the fixes: http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx
Posted in: Home by Steve on September 22, 2010
A house near us was broken into last week. It was during the middle of the day and they took a lot of the valuables from the house. My wife and I are now on the lookout to make sure that we always have our house locked up and that we’re watching for shady people in our neighborhood.
I saw this comic from Ctrl-Alt-Del and LOL’d
Posted in: Programming by Steve on September 19, 2010
In my previous post, ASP.NET Vulnerability, I wrote about an issue in ASP.NET that would allow someone to get information from your 500 errors. Microsoft has a
fix workaround for this issue. They recommend to change your web.config to not allow the “Yellow Screen of Death” and display a friendly message to end users on public servers. To do this, you have to change the <customErrors> section of your web.config to look like this:
.NET 3.5 SP1 and later
[<location allowOverride="false"> <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" /> </system.web> </location>]
Earlier than .NET 3.5 SP1
[<location allowOverride="false"> <system.web> <customErrors mode="On" defaultRedirect="~/error.html" /> </system.web> </location>]
Additionally, either create a static error.html page in a location accessible to the end user or a ErrorPage.aspx that is defined in the bulletin from Microsoft.
Posted in: General by Steve on September 14, 2010
Looks like there’s a AES encryption bug in ASP.NET applications that use Forms Authentication, Membership or Role Providers.
Details will be available on Friday, but this is very disconcerting because even if the person who found this wanted to, he/she would not be able to fix it. Microsoft has to issue a patch and then test it, then release it (maybe).