Wednesday, October 01, 2008

ASP.net Session Error remedy

Has your SQL server restarted lately; well if you're ASP.net application is reporting errors like these it might need some reconfigurations:
SELECT permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'.
INSERT permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'.
UPDATE permission was denied on the object 'ASPStateTempSessions', database 'tempdb', schema 'dbo'.


The cause of this is that your ASP.net application uses SQLServer session storage. This is generally a good design pattern; the SQLServer session storage allows you to have multiple webserver and thereby scale your infrastructure. SQLSession is one of three possible session storage method and is defined in the web.config with a directive like:
<sessionstate mode="SQLServer" timeout="1440" sqlconnectionstring="Data Source=RelevantYellow.sql.relevantads.com;User ID=WebSession;Password=password" cookieless="false"></sessionstate>


However it relies upon a temporary database in SQL server. Each time the server is rebooted, the entire database is recreated along with the access permissions. Your database server is doing its rightful job of blocking non-administrative accounts from doing things without authorization.

Solution
Instant Fix. Grant permissions to you WebSession database user to tempdb. Simply make it a db_owner. This is okay, however, you'll need to repeat the step each time the server is restarted.
USE [tempdb]
GO
EXEC sp_addrolemember 'db_owner', 'WebSession'


Temporary Relief.
Grant sysadmin privledges to the WebSession account:
EXEC master..sp_addsrvrolemember @loginame = 'WebSession', @rolename = 'sysadmin'

However granting such copious rights to this account is dangerous. Should you web application be compromised, hacked or be exposed, you could be caught with your shorts down.

Best Solution
Instead of relying on tempdb, the session data can be stored in permanent tables. Install the SQL script:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql

Alternatively, from the command prompt, run:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe -ssadd -E -sstype p

Monday, September 22, 2008

Hyperlink behavior - forcing popup window

"I'm clicking the link, but nothing happens"

Many websites use popup hyperlinks. While that has been fine in the past, with the advent of tabbed browsers, hyperlink popup windows will not behave as predictable as they once did. Furthermore, since users may have several websites open, it adds to the possibility that another site is using the same windows entitled "new".

The problem is that the hyperlink uses the directive target="new" to cause the popup window. Subsequent clicks to that hyperlink will cause the new windows to be refreshed. Microsoft Windows will bring that Internet Explorer to focus or cause it to flash until clicked. However, with tabbed browsing only newly opened tabs will come into focus. So when a user clicks on an already opened tab, it will not be flashing or be focused on.

If the web experience intent is to guarantee that the user will be shown the hyperlink in a popup form; instead use target="_blank". However if you want the end-user to use a single browser window, use the "new" declaration of another name.

Example:


Target Link TestExperience
newSubsequent clicks does not yield new popups.
_blankEach click gives its own popup.


Note that "_new" is treated the same as "new".

Monday, May 12, 2008

Dissection of the ASP SQL Injection Outbreak

Several website owners this past week, including the United Nations and the UK Government, were left with a compromised database after being hit with the notorious SQL injection bug. This is a flaw in which a basic ASP webpage can run malicious script on a SQL server.

The mass attack hit a number of website that were ASP driven and supported querystring paramters for database lookup. Webpages can allow for dynamic retrieval of information based upon querystring parameters; however if programmed in a basic manner, it might allow for a malicious script to be run.

Here is a basic example of a page that is vulnerable:

Page: BadCode.asp

Dim myVar
myVar = Request("input")

...
objComm.CommandText = "Select * from myTable where ID=" & myVar
objRS.Open objComm.Execute

...

In the normal situation, this will query the database for the specified record. However if the value of input is passed in as a malicious script, it could be run by the SQL server and run amok! Lets have a look...

Example SQL ASP Malicious Script


Given our BadPage.asp example, consider what the following HTTP request would do:
http://samplesite/BadCode.asp?input=555;EXECUTE("MALICIOUS SCRIPT")

In the mass attacks we've seen from China (IP=222.91.65.191) in the past week, the actual querystring script was encoded into hexadecimal so that it was interpreted by SQL, but not munged by ASP.

***REMOVED PER GOOGLE EDITORIAL GUIDELINES***

Here is the script as interpreted by SQL:

***REMOVED PER GOOGLE EDITORIAL GUIDELINES***


The outcome of this executing the SQL command would result in modifying all the text content in the entire database. The text content would direct your website users to download malware to their desktops.

Identifying Websites Vulnerable To SQL/ASP Bug

A basic query for ASP pages to Google can be performed to identify potential sites with the flaw.
Combine this script with a mass crawler to identify the querystring parameters, then hit the pages in mass coordination worldwide; pretty cleaver stuff indeed... The actual purpose of this latest infection from China was even more impressive as it ran a javascript to end-user coming to the website. That javascript contained several other fun forms of malware; which fortunately my browser decided to pass on...

SQL Injection Fix


There is no patch that prevents this flaw. A fully patched, secure and locked down server can be susceptible to this problem. It is only eliminated with good coding practices. I recommend exclusively using stored procedures to gain access to the database; in that way you tightly control all access levels and can avoid the pitfalls of rouge or poor programmers and basic exploits.

In short, don't allow uncontrolled, dynamic SQL statements to be run from the web application.

Thursday, April 03, 2008

Lanier cannot connect to Windows 2003 Domain Folder share

This is likely due to a secure channel connection being requested by the server. Lanier 232c and Lanier 122; connect through SMB network file sharing. They do not support secure connection.

In the Group Policy Editor, Select Security Settings\Local Policies\Security Options, details pane, locate and Disable:
Microsoft network server: Digitally sign communications (always).
Microsoft Network Server: Digitally Sign Communicates (If Client Agrees).
Domain member: Digitally encrypt or sign secure channel data (always).
To apply the Group Policy change immediately either, (1) restart the domain controller; (2) open a command prompt, and type:
gpupdate

If you change these setting and still have a problem, check the following settings. 1. Open the Default Domain Controllers Policy to edit the properties.

1. Under Computer Configuration, expand Windows Settings\Security Settings\Local Policies\Security Options.
2. In the details pane, locate and
Microsoft network server: Digitally sign communications (always)
Domain member: Digitally encrypt or sign secure channel data (always)
To apply the Group Policy change immediately either, (1) restart the domain controller; (2) open a command prompt, and type:
gpupdate

Sunday, March 30, 2008

ASP.Net Remote Debugging & Local Host Alias

Visual Studio Error: "Unable to start debugging unknown user name or bad password"

Here is an even better solution than using locolhost with some bugus port. There was a security change in SP1 for Windows 2003 that prevents debugging on anything but localhost. There's an obscure KB article about it here:

http://support.microsoft.com/?kbid=896861

The fix is simple:

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
(reboot may be necessary)

If the other computer is truly remote, it will be necessary to define debugging permissions on that machine:
Click Start, click Microsoft Visual Studio 2005, point to Visual Studio Tools, and then click Visual Studio 2005 Remote Debugger Configuration Wizard.

Also configure in Administrative Tools: "Local Security Policy" / "User Rights Assignment". The policy "Debug Programs" should be granted to your User.

Thursday, March 27, 2008

Obtaining HTTPcmd : Command line utilities

Windows 2000 Resource kit has a tool call httpcmd to perform GET operation.
Microsoft offers no downloads for this tool of the Windows 2000 ResKit. The Window 2003 Res Kit does not contain that command; instead obtain the IIS 6 Resource Kit.

Down from here.
Use the tool tinyget:

tinyget -srv:raweb01 -uri:http://relevantads.com -d

Also use the tool wfetch to perform detailed HTTP requests and response anaylsis.

Monday, March 17, 2008

Disable Road Runner domain advertising landing page

Recently Road Runner began advertising to its users advertisements in the way of web landing pages. When Road Runner detects an invalid domain (or DNS error) it will redirect the browser to a web site with a mixture of ads and search results served by Yahoo.

Some users are even complaining that Road Runner is redirecting valid domains to this landing page such as www.google.com!

Fortunately, Road Runner does provide a way to disable this default DNS service. On the bottom of the landing page is a link to service settings http://ww23.rr.com/prefs.php.


From here, simply disable the entire service. This may take a few minutes to take effect and it will affect every computer in your local network. The settings are tied to your Cable modems MAC address. You can revisit the settings page to modify the values should you ever want that.

Share Links