[Update: Seems to be fixed in 1.1 SP1 - so get those machines patched - but we need a hotfix for 1.0 folks as well. nevermind.]

So, yikes (via LeastPriviledge.com):

We believe we have discovered a serious flaw in .NET forms authentication
when used to secure sub folders. ...

1. Using Mozilla not IE, you make a request to
http://localhost/secure\somefile.aspx The use of a backslash rather than a
forward slash appears to bypass the expected authentication model invoked in
.NET forms authentication

2. Using IE, you make a request to http://localhost/secure\somefile.aspx -
IE automatically replaces the backslash "\" with a forward slash "http://www.hurlman.com/blog/file.axd?file=" and
everything appears fine. However, replace the backslash "\" with %5C (%5C
being hex value for \) and all is not so fine:

http://localhost/secure%5Csomefile.aspx

If you haven't already, go back and read the full message I linked to at the top of the post.  GO!

OK, this is the worst thing I've ever heard of (from same post):

Interestingly (and I guess now somewhat amusingly) Microsoft point out in
the article "Design Guidelines for Secure Web Applications"
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h tml/THCMCh04.asp>):

"Be Careful with Canonicalization Issues:

Data in canonical form is in its most standard or simplest form.
Canonicalization is the process of converting data to its canonical form.
File paths and URLs are particularly prone to canonicalization issues and
many well-known exploits are a direct result of canonicalization bugs. For
example, consider the following string that contains a file and path in its
canonical form."

And then goes on to define the exploit ;-)

How on earth did *that* manage to happen?  How did whoever was testing this not pick up on the fact that they should maybe test the exact thing that their whitepaper was warning developers about?

Further, where on earth is anyone from Microsoft on this?  I've heard not a peep in a single RSS feed, and I'm subscribed to well over 300 MS blogs, along with the Security Bulletin feed.

Honestly - it's things like this that makes me glad that I don't support IIS anymore (and by association, ASP/ASP.Net), and even more glad that I sold off all my MS stock when I left.

- G

As I walked over to the deli to pick up some sugar to counteract my lunchcoma, I was thinking about why I don't nearly blog as much as I used to, certainly not nearly as much as I did pre-current-blog.  I decided that it was most likely my efforts to keep this blog's signal/noise ratio very high, with almost no noise getting through.

Being that I am not Johnny ubergeek with nothing to talk about but technology all day long, I decided that this has to change.  As such, I'm going to start using this blog as much as a soapbox/mountaintop to shout from - so the signal/noise ratio is most likely going to take a dive.

WAIT - no need to unsubscribe if all you're looking for is yet another spot to watch for tech news - with this post I'm creating a less-talk-more-rock category I'm gonig to call “Squaretwo.Tech” - if you want to avoid the noise, just subscribe to that category - I'll (try to) remember to tag each tech. post with it.

If you decide to stick to the main feed to see what happens, you're more than welcome to do so.  I think the Liberal Arts major in me is excited about the prospect of writing just to write again, and I hope that what follows is either entertaining, enlightening, or if I've done it right, a little of both.

- G

That's right, you heard it here second (if you follow SBS at all, you heard it here first):

Eugene Ho [Dev Director for SBS] at SMB nation just said that ISA 2004 would be available for Premium only customers [like duh on that one of course] and it would be available for shipping/fulfillment costs only [snail mail one cost, express mail a higher costs]

That, to put it plainly, is awesome.  Of course, true SBS integration won't be there until SP1 for SBS 2003 is released, targetted for early next year.  The question is - will the SA licencees get peeved over this, and what will become of SQL Server 2000 once SQL Server 2005 is released?

Yes, I'm getting greedy.

- G

Almost 2 years ago, it took a bit of reasearch before I came across my current webhost - winning with their offering of a MS SQL database (actually, 2 of them) for less than $10/month.

Right now, Webhost4Life is running a hell of a deal for $9.95/mo:

• 300 MB of disk space (normally 150 MB, that's what I have *grumble*)
• ASP.Net 1.0, and 1.1
• Up to 2 MS SQL databases (more DBs for more $ if you need them)
• Unlimited number fo domains and subdomains pointed to them
• Shared SSL included
• Unlimited bandwidth
• Web-based email or your domain(s)
• Lots more

I'm not normally one to post an ad, but I've spoken to 3 people today who were paying twice as much for a lesser service - there are probably the same people who go to register.com for domains and verisign for SSL certificates.

Don't be one of those people.  ;)

- G