ScriptResource.axd Vulnerable Script When Test It With Shadow Security Scanner?
Mar 1, 2011
I was performed tests againts my web server using Shadow Security Scanner with the following results:
Web Servers : Vulnerable script
Port : 80
Description: Found vulnerable script on this web site
Risk level :High
Script: http://servername/ScriptResource.axd?d=P4tzN-eCJlchxi30M7K6eGzyH7tdeY4timDGCw0yDS45Ur477KM8CSqJQdqun4VDGbs5xXGPE 7VeqXqRIDyOHxwoopCbgbWmKFLiyKB1Qs5UDJTyZQYe4zURSEshSBwPOm1hORh40237AJZ_EWO2n2-3IwAzTY__px0r6WbIYgWamkVz0&t=/etc/passwd
CVE : GENERIC-MAP-NOMATCH
Is this LINQ statment vulnerable to SQL injection?
var result = from b in context.tests where b.id == inputTextBox.Text select b;
where context is an Entity and tests is a table. I'm trying to learn LINQ and I thought that the benefit of it was that it wasn't vulnerable to sql injection, but some stuff I've see has said differently. Would I need to parametrize this LINQ statement to make it safer? If so, How? Also would this be considered linq to sql or linq to entities?
THE CODE: Session["foo"] = "bar"; Response.Redirect("foo.aspx");
When foo.aspx reads "foo" from the session, it's not there. The session is there, but there's no value for "foo". I've observed this intermittently in our production environment. But I don't mean here to ask a question about Response.Redirect().
Bertrand Le Roy explains (the bolding is mine): Now, what Redirect does is to send a special header to the client so that it asks the server for a different page than the one it was waiting for. Server-side, after sending this header, Redirect ends the response. This is a very violent thing to do. Response.End actually stops the execution of the page wherever it is using a ThreadAbortException. What happens really here is that the session token gets lost in the battle. My takeaway there is that Response.Redirect() can be heavy-handed with ending threads. And that can threaten my session writes if they occur too near that heavy-handedness.
What about ASP.NET session management makes it so vulnerable to this? The Response.Redirect() line of code doesn't begin its execution until the session write line is "finished" -- how can it be such a threat to my session write? What about the session write doesn't "finish" before the next line of code executes? Are there other scenarios in which session writes are similarly (as though they never occurred) lost?
Is there any way,in Visual Studio,to specify credentials to test a web page with rather than having to go through the process of logging in every time?is there some common technique to testing with different roles and logins?It's just really tedious to constantly have to login and navigate to a specific page to test.
I'm trying to test the login control without writing any code. According to Murachs book, you can drag and drop the login control onto a Login.aspx form. Use the ASP Configuration Security tool to create user, roles, and access rules for the website. And you should then be prompted for authentication. I created two folders in my website, admin and users. The admin folder has a admin.aspx form and the users folder has a users.aspx form. I also edited the access rules to only allow admin to access the admin.aspx and only allow user to access the users.aspx form.
Is it possible to have the same DB and web.config for both local development machine and the final production server(with forms authentication)? I'm asking this because if I change anything in the ASP.NET Configuration screen(should I use this at all?) I loose the ability to login. Don't know what to put in the <Membership><applicationName>, should it be /myapp-editor or just /, it's different since it runs on two different domains/servers(final server doesn't have an application dir, just root). How can I make sure that the user created on one server will be usable on the other machine?
In my project i'm using the concept of impersonation to implement "File Upload functionality".i.e.
to save the file uploaded to a network share.This n/w share is accessible to an application id only.So i'm impersonating with that user id when uploading a file. I'm importing "advapi32.dll" and using the LOGONUSERA method of that dll to validate the user and get the token for that userid and then impersonate using the Token returned. THis approach is working fine in the development environment but LOGONUSERA always fails in TEST and PRODUCTION environments. It always return "0" which means user id is invalid and the token is zero hence i cannot impersonate. Is it something related to accessing the dll in other environments? Any suggestions to resolve this issue will be a great helpp for us. We are hung with this issue for the past 5 days.
In my ASP.NET app, I'm attempting to add another directory to be have the DLLs in it shadow copied.
The only method I found that will allow m to do this is AppDomain.CurrentDomain.SetShadowCopyPath.
However, this method is marked as Obsolete. MSDN has this to say about it
SetShadowCopyPath(String path) Message: AppDomain.SetShadowCopyPath has been deprecated. investigate the use of AppDomainSetup.ShadowCopyDirectories instead.
However, the AppDomainSetup.ShadowCopyDirectories property doesn't seem to change whenever I set a value to it.
AppDomain.CurrentDomain.SetupInformation.ShadowCopyDirectories = "mydirectory;bin"; string test = AppDomain.CurrentDomain.SetupInformation.ShadowCopyDirectories; // returns bin, which was the original directory
Is there a reason that it won't change and is there a work around?
i have to do some message exchange with a 3rd party (in a website).When the client posts a page, i start the message exchange. When that doesn't succeed for some reason, i report this to the client by rendering the page with a message.On the background, in a separate thread, i start a process to send abort messages to the 3rd party. I can't do this while the user is waiting for the page to come back, because it might take a few minutes.But in a test project, the test ends when the message to the 3rd party is sent, and after the new thread is started. But it seems that the new thread also ends, when the test is done.
Is that normal behaviour?I do start the thread in a new class with a reference to 2 objects from the class which tries to send the message in the first place, may that be a problem?EDIT: it keeps running when the whole process is started in IIS
I'm currently building an intranet engine for a project I've got on the go at the moment, and I'd like to save myself a little time by generating header images from code where possible, however, I'd like it to match our concept image.What I'd like to achieve is below:My issue is I've not the faintest how to create that from code. I can do the absolute basics but that's about it.
I start to fall down when it comes to the gradient background and the drop shadow on the text. I can get away with positioning the text on the larger header image, so if it's not possible to generate the exact gradient I have there, then I have a work around for that, but what I really want to achieve is the text with the font and drop shadow.I'd say it's safe to assume that to use a "non-standard" font, I'd merely need to install it on the web server?
There has been a couple times now that I have tried to have a panel inside a Tab Page of the Tab Container. Each time I run into the same problem. The extenders drop shadow property wont work. The rounded property of the drop shadow extender works fine but for the life of me I cant get the drop shadow to appear. Every other time this has happened I have just given up the search for the answer and left out the drop shadows because it wasnt a big deal but this time I think it would really make my page look good so I decided it was about time i posted something about this issue. (run-on sentences are my specialty)
The following code will recreate the bug / problem I am having
Is it possible to get the DropShadowExtender to throw a shadow on both sides of a Panel? I can get it on either left or right, but not that it is right behind the panel, giving the impression that the item is lifted slightly from the page.
If it can not be done with DropShadowExtender, is there another way to do this without actual background graphic?
I'd like to run drop shadow on Bitmap class in ASP.NET and I'd be really happy if GPU could do that. Any chance of this happening?Update: I'd like to do that on server side. It doesn't really have to be ASP.NET app, it could be console app or windows service.
I made a proje in asp.net which makes scan,resize...I used wia(Windows Image Acquisition).if I,m in local when I press scan button project works.but I published this project on the web it does not work on the web.I heart I need to write a activex control to work client scanner.however I do not have any idea to write it.
I have a barcode scanner(Symbol-ls2208) but i dont know how to read information from it to my application (in C#). Can anyone help me in this problem with sample code? Os: Windows XP.scanner: Symbol LS2208 General Purpose Bar Code Scanner