Skip to main content

Posts

Showing posts from 2008

ASP.net Session Error remedy

Has your SQL server restarted lately; well if you're ASP.net application is reporting errors like these it might need some reconfigurations: SELECT permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'. INSERT permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'. UPDATE permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'. The cause of this is that your ASP.net application uses SQLServer session storage. This is generally a good design pattern; the SQLServer session storage allows you to have multiple webserver and thereby scale your infrastructure. SQLSession is one of three possible session storage method and is defined in the web.config with a directive like: <sessionstate mode="SQLServer" timeout="1440" sqlconnectionstring="Data Source=RelevantYellow.sql.relevanta

Hyperlink behavior - forcing popup window

" I'm clicking the link, but nothing happens " Many websites use popup hyperlinks. While that has been fine in the past, with the advent of tabbed browsers, hyperlink popup windows will not behave as predictable as they once did. Furthermore, since users may have several websites open, it adds to the possibility that another site is using the same windows entitled "new". The problem is that the hyperlink uses the directive target="new" to cause the popup window. Subsequent clicks to that hyperlink will cause the new windows to be refreshed. Microsoft Windows will bring that Internet Explorer to focus or cause it to flash until clicked. However, with tabbed browsing only newly opened tabs will come into focus. So when a user clicks on an already opened tab, it will not be flashing or be focused on. If the web experience intent is to guarantee that the user will be shown the hyperlink in a popup form; instead use target="_blank" . Ho

Dissection of the ASP SQL Injection Outbreak

Several website owners this past week, including the United Nations and the UK Government, were left with a compromised database after being hit with the notorious SQL injection bug. This is a flaw in which a basic ASP webpage can run malicious script on a SQL server. The mass attack hit a number of website that were ASP driven and supported querystring paramters for database lookup. Webpages can allow for dynamic retrieval of information based upon querystring parameters; however if programmed in a basic manner, it might allow for a malicious script to be run. Here is a basic example of a page that is vulnerable: Page: BadCode.asp Dim myVar myVar = Request("input") ... objComm.CommandText = "Select * from myTable where ID=" & myVar objRS.Open objComm.Execute ... In the normal situation, this will query the database for the specified record. However if the value of input is passed in as a malicious script, it could be run by the SQL server and run amok! Le

Lanier cannot connect to Windows 2003 Domain Folder share

This is likely due to a secure channel connection being requested by the server. Lanier 232c and Lanier 122; connect through SMB network file sharing. They do not support secure connection. In the Group Policy Editor, Select Security Settings\Local Policies\Security Options, details pane, locate and Disable: Microsoft network server: Digitally sign communications (always). Microsoft Network Server: Digitally Sign Communicates (If Client Agrees). Domain member: Digitally encrypt or sign secure channel data (always). To apply the Group Policy change immediately either, (1) restart the domain controller; (2) open a command prompt, and type: gpupdate If you change these setting and still have a problem, check the following settings. 1. Open the Default Domain Controllers Policy to edit the properties. 1. Under Computer Configuration, expand Windows Settings\Security Settings\Local Policies\Security Options. 2. In the details pane, locate and Microsoft network serv

ASP.Net Remote Debugging & Local Host Alias

Visual Studio Error: "Unable to start debugging unknown user name or bad password" Here is an even better solution than using locolhost with some bugus port. There was a security change in SP1 for Windows 2003 that prevents debugging on anything but localhost. There's an obscure KB article about it here: http://support.microsoft.com/?kbid=896861 The fix is simple: 1. Click Start , click Run , type regedit , and then click OK . 2. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 3. Right-click Lsa , point to New , and then click DWORD Value . 4. Type DisableLoopbackCheck , and then press ENTER. 5. Right-click DisableLoopbackCheck , and then click Modify . 6. In the Value data box, type 1 , and then click OK . (reboot may be necessary) If the other computer is truly remote, it will be necessary to define debugging permissions on that machine: Click Start , click Mi

Obtaining HTTPcmd : Command line utilities

Windows 2000 Resource kit has a tool call httpcmd to perform GET operation. Microsoft offers no downloads for this tool of the Windows 2000 ResKit. The Window 2003 Res Kit does not contain that command; instead obtain the IIS 6 Resource Kit. Down from here . Use the tool tinyget: tinyget -srv:raweb01 -uri:http://relevantads.com -d Also use the tool wfetch to perform detailed HTTP requests and response anaylsis.

Disable Road Runner domain advertising landing page

Recently Road Runner began advertising to its users advertisements in the way of web landing pages. When Road Runner detects an invalid domain (or DNS error) it will redirect the browser to a web site with a mixture of ads and search results served by Yahoo. Some users are even complaining that Road Runner is redirecting valid domains to this landing page such as www.google.com! Fortunately, Road Runner does provide a way to disable this default DNS service. On the bottom of the landing page is a link to service settings http://ww23.rr.com/prefs.php . From here, simply disable the entire service. This may take a few minutes to take effect and it will affect every computer in your local network. The settings are tied to your Cable modems MAC address. You can revisit the settings page to modify the values should you ever want that.