Scott Hanselman

Back to Basics: When allowing user uploads, don't allow uploads to execute code

March 27, '14 Comments [38] Posted in Tools
Sponsored By

I got an email from a reader who noticed some very odd errors happening in her web site's global error handler. Fortunately she's using ELMAH for error handling, which as you may know, is a JOY.

She was seeing:

Access to the path 'C:\Windows\security\database\secedit.sdb' is denied

Well, that's enough to make your heart skip a beat.

She looked around and found a file simply named "list.aspx" that she didn't recognize. The weird part was that this file was in the /uploads folder. That's where users can upload files with her particular CMS.

The list.aspx even has authors listed. Perhaps for their LinkedIn page?

Thanks Snailsor,FuYu,BloodSword,Cnqing,
Code by Bin
Make in China

I won't list the full list.aspx here, but rather call out some highlights of this clear malware.

It had a LOT of spaces in the opening of the file.

Meaning, they were assuming you wouldn't scroll down. Seriously. Oddly, though, it was spaces, not carriage returns. Note Line 23 never ends. It's SUPER long.

image

It pointed to a lot of (comparatively) unusual domains

It had links inside to things like

  • www.rootkit.net.cn
  • r57c99.com

Note that the second one actually serves malware and bad JavaScript, so avoid it.

It's a whole admin console for a bad guy to attack your computer

This file actually has a dropdown with "Please select a database" with values like (this is just a taste):

  • Use master dbcc addextendedproc('sp_OACreate','odsole70.dll')
  • select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb
  • c:\bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
  • Exec master.dbo.xp_cmdshell 'net user'
  • EXEC sp_configure 'xp_cmdshell'

They're going for complete control of the system, and this file is just the start.

It serves JavaScript from elsewhere

This bad aspx file also tries to bring in some bad JS from the second domain above.

That JavaScript tries to bring in even worse JavaScript from another location via an indirection. I won't even list these bits for fear that I'll get blocked for serving it!

The root of all of this is: Don't let users upload and execute code.

A fix for arbitrary code execution in user upload folders

What was the fix? Well, certainly not allowing someone to upload a file with a .aspx or .php extension for one, but also to mark the entire uploads folder as not executable! Here is the updated web.config:

<location path="upload">
<system.webServer>
<handlers accessPolicy="Read" />
</system.webServer>
</location>

I'm not a security expert, but I'd love to hear from YOU, Dear Reader, and some of the crazy stuff you've discovered on systems you manage.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

NuGet Package of the Week: Canopy Web Testing Framework with F#

March 25, '14 Comments [18] Posted in NuGet | NuGetPOW | Open Source
Sponsored By

I've been exploring Automated Browser Testing recently, and also checking out F# for unrelated reasons. However, when you combine the two you end up with "canopy." Canopy is a "f#rictionless web testing" framework that combines the flexibility of Selenium with the clean look of the F# language. F# is much terser (more elegant, even) than C#, and is garnering the interest of a lot of the .NET Open Source community. Folks are creating cool domain specific languages of their own using F# as the base.

You already have F# and perhaps didn't realize you did! If you don't, there's lots of ways to get F# for free. You can use F# for free with VS2013 Desktop Express plus Visual F# Tools 3.1.1.

F# is open source and cross platform, running on Linux, Mac OS X, Android, iOS, Windows as well as HTML5 and GPUs. F# is free to use and has an OSI-approved open source license.

Even if you don't feel like installing anything, you can learn and play with F# in your browser now! Check out http://www.tryfsharp.org 

Also check out FunScript, which is F# to JavaScript! Don't believe them? Try Pacman using F# and JavaScript with source!

image

Anyway, back to Canopy. Make a new Console app and NuGet in the canopy package:

image

The NuGet package will bring in Selenium as a dependency.

Then, try out their "Hello World" web testing sample, that I've also pasted here.

//these are similar to C# using statements
open canopy
open runner
open System

//start an instance of the firefox browser
start firefox

//this is how you define a test
"taking canopy for a spin" &&& fun _ ->
//this is an F# function body, it's whitespace enforced

//go to url
url "http://lefthandedgoat.github.io/canopy/testpages/"

//assert that the element with an id of 'welcome' has
//the text 'Welcome'
"#welcome" == "Welcome"

//assert that the element with an id of 'firstName' has the value 'John'
"#firstName" == "John"

//change the value of element with
//an id of 'firstName' to 'Something Else'
"#firstName" << "Something Else"

//verify another element's value, click a button,
//verify the element is updated
"#button_clicked" == "button not clicked"
click "#button"
"#button_clicked" == "button clicked"

//run all tests
run()

System.Console.WriteLine("press [enter] to exit")
System.Console.ReadLine() |> ignore

quit()

And boom, it just works. You can run this .NET application just like any other. .NET apps are .NET apps, as they say. It doesn't matter what language it's written in. When (if) you distribute this application you'd just include the contents of your Debug folder. No need to "install" F# or anything on the target machine.

image

You can do all sorts of Selenium testing with canopy, like:

//start a bunch of browsers and switch around
start firefox
let mainBrowser = browser
start chrome
let secondBrowser = browser
//switch back to mainBrowser after opening secondBrowser
switchTo mainBrowser

//take screenshots
let path = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\canopy\"
let filename = DateTime.Now.ToString("MMM-d_HH-mm-ss-fff")
screenshot path filename

//get an element
element "#firstName" |> someParent

//press buttons
press tab
press enter
press down
press up
press left
press right

//check and click things
check "#yes"
click "#login"

//or even drag things!
drag ".todo" ".inprogress"

Oh, and by the way, the canopy library builds itself using FAKE, the F# Build System we talked about last week! Go check these projects out and offer to help or support them. There's a lot of interesting open source happening in the .NET space lately that may have been flying under your radar.

Related Links

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Changes in the Microsoft MVP Program - MVPs for Open Source Contributions

March 20, '14 Comments [46] Posted in Open Source
Sponsored By

Image by "tetue" and used under Creative Commons http://flic.kr/p/eYrTT4Before I went to work for Microsoft a few years back, I was given the "MVP" award for ASP.NET. I didn't go out and seek this award, it just happened. The MVP awards are backward-looking in that they look at the work that you've done in the previous year, not what you're going to do.

The idea behind these awards has been to give some recognition to folks that have volunteered their time to write books, create documentation, run user groups, and generally spread the word as advocates for the development platform.

However, it's long been my opinion that these awards are too narrow in scope. It's great that you're blogging or speaking on a developer topic, but what if you don't speak at all and instead put that energy into a great .NET open source framework? Fortunately others within the big house share my thinking and we're changing the MVP program to actively recognize open source.

Here's a quote directly from an internal email/memo. It's got a little corporate-speak, but it's rather frank and to the point. What you need to know is that this email was sent to all of the Microsoft subsidiaries (the "field") to make sure they are on track and get what we're trying to do here. I've bolded and trimmed it a little but you get the idea:

Currently there is a class of developer influencers whose contributions are not yet fully recognized by the Microsoft MVP Program. These influencers run, manage, or commit to large and highly influential open source projects. However since they do not participate in what is considered as more traditional ways such as speech engagement, books, online forums or user groups, they are not usually considered as potential MVPs. Often these developers have technical community followings but may not necessarily be "on message.". As a result, there is a belief amongst some influencers that Microsoft does not support Open Source software.

As we move forward, we will change the MVP guidelines to recognize open source activities with the same weight as other community activities. We need to send a clear message that a healthy .NET ecosystem, including open source impact, is good for all stakeholders. It is time for the MVP Award to recognize open source activities to promote further growth and support of the technical communities.

When I started pushing this idea, I thought we'd make a new "Open Source MVP." I pushed that for a while but realized quickly that it would create an island of OSS MVPs, and no one group would claim them. Better to push OSS throughout the whole program so everyone shares a home. Instead, we changed the idea and designed that Open Source contributions should be as valuable (or more so) as any other contribution, and you could become an MVP solely based on open source and nothing else.

If you make the next great "Foo Framework for ASP.NET" then you'd be an ASP.NET MVP and get the benefits of any other MVP, including an MSDN subscription that you could use to support your project. There's no expectation to speak or blog or do anything other than be awesome and keep working on your project.

Here it is in corporate speak (from that memo):

Today we already include open source activities in our review process as part of a MVP’s contributions. The shift now is that a candidate can be reviewed and awarded solely on contributions in open source projects, if the contributions are significant, without having other activities such as speeches, online forum supports, books, blogs, etc.

We'll be looking at open source for the next MVP "cycle." We can't bring in every little project, as much as I'd like to, but if you've got a successful and growing project, or if you know someone who is doing amazing stuff in open source, make sure that your local Microsoft community person nominates them!

* Image by "tetue" and used under Creative Commons

Related Links


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week. Check out the Free Starter Edition of their release management tool! Deploy your SQL Server databases, .NET apps and services in a single, repeatable process with Red Gate’s Deployment Manager. Get started now with the free Starter Edition.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

How to automatically notify the user that it's time to upgrade a Windows App

March 19, '14 Comments [50] Posted in Musings
Sponsored By

imageBack in 2007 I did a post called Making your Application Automatically Update Itself. Yesterday I was pairing on a little startup I'm doing on the side with Greg Shackles and it was time do the setup application. I thought about WiX, I thought about InstallShield, but then discovered a wonderful little gem of a setup application called Inno Setup by Jordan Russell. It's free, but it's a joy and you should donate if you use it.

It took me just 15 minutes to make a simple installer, and it's clear that this tool is deep and broad in its support. However, there's no free lunch when it comes to auto-updating. Inno Setup will upgrade my app from build to build when I run a new setup over the top of an old one. I still need my app to notify the user that it's time to upgrade.

This is our little 10 minute solution, but it's actually working very nicely. Inside the latest.txt files is a simple version string like 0.9.9.4.

var http = new HttpClient();
string versionString = await http.GetStringAsync(new Uri("http://www.hanselman.com/SecretStartup/latest.txt"));
Version latestVersion = new Version(versionString);

//get my own version to compare against latest.
Assembly assembly = Assembly.GetExecutingAssembly();
FileVersionInfo fvi = FileVersionInfo.GetVersionInfo(assembly.Location);
Version myVersion = new Version(fvi.ProductVersion);

if (latestVersion > myVersion)
{
if (System.Windows.MessageBox.Show(String.Format("You've got version {0} of SecretStartup for Windows. Would you like to update to the latest version {1}?", myVersion, latestVersion), "Update SecretStartup?", MessageBoxButton.YesNo) == MessageBoxResult.Yes)
{
Process.Start("http://www.hanselman.com/blog");
}
}

I'm thinking:

  • We'll add an SSL certificate and confirm its identity on the HTTP call as a little added security.
  • Error Handling, natch.
  • One could also download the setup app to %temp%, check it's SHA hash, launch it and close myself. Not sure I like it this automatic, though.
  • Maybe only check the version once a day or once every few days.

Comments?


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week. Check out the Free Starter Edition of their release management tool! Deploy your SQL Server databases, .NET apps and services in a single, repeatable process with Red Gate’s Deployment Manager. Get started now with the free Starter Edition.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

AngleBrackets open web conference in Florida - April 2014

March 19, '14 Comments [7] Posted in Musings
Sponsored By

imageWe had a blast last year at AngleBrackets in Vegas. Next month we're heading to family-friendly Orlando with our friends ScottGu, Denise Jacobs, Douglas Crockford, John Papa, Dan Wahlin, and lots more.

There's some great optional workshops/pre-cons and post-cons that are a fantastic opportunity to get some one-on-one training with experts in the field. It's deep web technologies with a focus on practicality, open source, and creative problem solving. Check this out, get your boss to sign off and bring your laptop!

  • PRECON12: AngularJS SPA Development - 0 to 60 (Sunday, April 13) Hands-on Bring your own Laptop - John Papa
  • PRECON08: Architecting Applications for Multiple UIs (Sunday, April 13) - Paul Sheriff
  • On the Metal: Essential HTML 5, CSS 3 and JavaScript for All Developers (Sunday, April 13) - Todd Anglin
  • Service Orientation Technologies Designing, Developing and Implementing WCF and the WEB API (Sunday, April 13) - Miguel Castro
  • PRECON07: The Architecture Clinic - (Sunday, April 13) - Juval Lowy
  • POSTCON08: Building Data-Centric Single Page Applications with Durandal, Knockout, Breeze and Web API (Thursday, April 17) - Brian Noyes
  • POSTCON03: Experimental Design for User Interfaces (Thursday, April 17) - Billy Hollis
  • POSTCON09: Hacking the Creative Brain (Thursday, April 17) - Denise R. Jacobs

AngleBrackets is a conference that's "co-located" with the DevIntersections conference. That means that you can move between the two conferences and attend the sessions you want. You can move between MongoDB, Ruby, and node.js sessions and even (gasp!) SharePoint sessions at the other conference. It's a great way to get your boss to send you to a conference while you learn all aspects of web development.

Here's a few cool session I'm tracking for myself, just to give you a taste of the diversity of topics.

Managing Asynchronicity with RQ - Douglas Crockford

Turn based servers are now joining turn based browsers in providing race-free and deadlock-free interactivity. The event-driven model has long been popular in UI systems, but the nature of work in servers presents some new challenges. Functional programming provides solutions, including monads, arrows, promises, and various flavors of FRP. This is another such solution, intended to enhance ease of use with constructs that support parallel and sequential operations.

The Art of Disciplined Creativity - Denise Jacobs

As tech industry professionals, we rarely experience a shortage of projects that necessitate our creative thinking. While everyone has moments of being on fire with creativity, all too often the time of being in the state of creative flow is too short. Additionally, sometimes we get stuck: we lack inspiration, our creative confidence wanes, and the generation of ideas comes to a standstill. Much like elite athletes, we need to exercise discipline to be able to get into the creative "zone" at at will and produce consistently great results. Let's explore ideas and practices for regularly gathering sources of inspiration, eliminating blocks to more easily access creative states, prolong them, and leverage their power to develop and execute great work.

Grunt-ify Your Front-End Web Development - Elijah Manor

There are a lot of manual processes that front-end developers tend to perform in order to get their job done. Wouldn't it be nice if there was some way to automate all the things? Well, thanks to Grunt you can :) In this session we will introduce Grunt and showcase some common workflows to automate building, live reloading, CSS processing, unit testing, deploying, as well as making your own custom plugins. Along the way, we will discuss some tips and tricks when using Grunt.

There's also other optional PreCons at DevIntersections on SQL, C, ALM, Disaster Recovery, Rosylin and CodeGen and more. Check out the great line-up we have this year at AngleBrackets and I'll see you there!


Sponsor: Big thanks to Red Gate for sponsoring the blog feed this week. Check out the Free Starter Edition of their release management tool! Deploy your SQL Server databases, .NET apps and services in a single, repeatable process with Red Gate’s Deployment Manager. Get started now with the free Starter Edition.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. I am a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.