August28
Since announcing support for silverlight hosting we’ve had a great deal of interest in it by developers and designers alike. I think we’ll see some really great things out of the developer community on silverlight in the very near future.
Today I learned that MSDN is offering a free half day training event and one of the topics is Silverlight. You can get more information on this event at: http://www.msdnevents.com
As I learn of other training and information offers I’ll post them as well.
August24
So we can’t just pick up the phone to say “WAZZUP” (like mario and the boys above) in the blogosphere but thanks to AOL’s AIM WIMZI widget you can carry on a livechat with your blog visitors.
Embedding your own Free AIM livechat in your website
AOL/AIM is providing a web widget that you can embed into your website very easily using either HTML or Flash. by using their simple web wizard it’s as easy as cut and paste to integrate into your website.
The nice thing about WIMZI is that it ties back to your AIM IM account and you receive IM’s from the web widget in your normal AIM app.
See AIM WIMZI in action right here.
The WIMZI is embedded in my blog at the footer. To integrate WIMZI with Wordpress I used a HTML widget and just copied and pasted the HTML in. I’m using the flash widget because it seems to be pretty widely used.
August21
We recently needed a way to extract files from a sharepoint site’s document libraries. With sharepoint all the files are stored in a SQL database so it would seem connecting to the database and pulling all the files out manually wouldn’t be such a hard thing to do. After a fair amount of time googling for such a solution I finally found it over at Mark Jen’s blog. Mark’s solution it turns out didn’t work for WSS 3.0 but in the comments a fella by the name of eric writes:
I have modified the code to work with SharePoint 07. Since the Content is stored in a new table with 07, the query piece needs to be a little different. Just replace line 24 with the sting below. It worked perfectly for me after that.
Find
com.CommandText =
August14
If you’re seeing viewstate errors like “The viewstate is invalid for this page and might be corrupted” here’s the dealio. For security ASP.NET encrypts the viewstate using an Autogenerated Key that is generated when your application pool (or worker process) is started. At AppliedI.net (and many hosts today) each website is placed in a unique application pool so your site is isolated from the other sites on the server. If your application pool recycles for whatever reason, the viewstate key will change and when you go to post back to your application is may fail with the gloriously informative error of:
“The viewstate is invalid for this page and might be corrupted”.
What’s causing the application pool to do this?
Your application pool is recycling due most likely to a couple things:
- you edited your web.config and that caused the change (not likely)
- IIS was reset on the server and that caused the change (less likely)
- Your application errored out causing the application pool to recycle (possible)
- Your application pool reached a memory limit and was forced to recycle (I put my money on the #4 horse to win! this is probably it)
All hosts today that use dedicated application pools, isolated application pools or “website sandboxing” whatever they may called also set a memory limit on the application pool in shared hosting, some set it more aggressively than others. The advanced web applications of today are using more and more resources as they are more and more complex, it’s not uncommon to find a web application using anywhere from 150-350MB of memory today, although the average is still just in the range of 80-120MB.
The good news is you have options on how to get around this.
- You can upgrade your shared hosting account to an account that has a higher memory limit. At appliedi.net we offer 4 different shared hosting accounts each with separate memory limits.
- You can upgrade to a VPS hosting account or dedicated hosting account and set an even higher memory limit.
- You can completely disable the viewstatemac by adding “enableViewStateMac=”false” in your web.config. This would be a bad thing though and you can google viewstate injection for why this is bad.
- You can generate a predefined key and stop using the default autogenerated key method.
#4 is probably the route you’ll want to go. My recommendation is to go with #1 first and not just because I work for a hosting company and want to see you spend more money per month. I recommend you upgrade your hosting account to an account that has a reasonable memory limit for your application because every time that application pool recycles your site is going to be slow as it recompiles and initializes the application. You also just lost your session state information so if you’re an ecommerce site and your client was in the middle of a checkout, they probably just lost their cart contents and have to start over.
Creating a predefined viewstatemac key
The guys over at www.aspnetresources.com have a keycreator tool that makes generating your own predefined viewstatemac key effortless. To do this you’d do the following
- visit: http://www.aspnetresources.com/tools/keycreator.aspx and use it to build a key
- Copy this key into your applications web.config file between <system.web> and </system.web>
- Save your web.config file and test your application to make sure it still works. If for some reason it doesn’t work, you can delete the changes and revert back.
Where to learn more
There’s always google. But Microsoft has a pretty extensive article in their KB at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;829743 that will also help. If this sounds like something that’s happening to you at AppliedI.net on your ASP.NET hosting account please contact our support team and they’ll be happy to help you troubleshoot the issue.
August1
I subscribe to windowsecurity.com’s newsletter which is actually a pretty good read. Today’s newsletter has an article about the Microsoft UK Events Website getting defaced and goes into great detail to show just how the site was compromised.
In a nutshell, they used SQL Injection and the fact that the web.config was configured to display errors instead of displaying a custom error page.
I highly recommend any developer or website owner to review the article at:
http://www.windowsecurity.com/articles/Microsoft-UK-Events-Website-Hacked.html
so that they can avoid falling prey to these same tactics.
As a host, I can firmly say the #1 issue we see today with sites getting defaced is a weak password (using password, your username, your simple passwords simply aren’t secure) and the #2 issue is SQL Injection. Not many website owners (and unfortunately web developers) are familiar with SQL Injection and assume that their web app is inherently safe, this is a classic ASS-U-ME assumption. WindowsSecurity.com recommends that you use a commercial product from Acunetix to scan the security of your site. But other resources are:
- ScanAlert’s (or any other reputable scanning company’s) PCI compliance scanning service: http://www.appliedi.net/scanalert-pcicompliance/ which is offered free for the first year for AppliedI.net hosted websites.
- Nessus is a freely available scanning solution you can use as well (and the same tool many commercial security scanning providers use)
- xfocus.org also has a scanning tool called x-scan that I like to use as well. It uses nessus rules but is created by a Chinese company so there’s not really any documentation on it.
This is by no means the end all article on web site security but if you read the windowsecurity.com article I think you’ll be more aware of the techniques being used by hackers today and if you sign up for one of the commercial services and also experiment with a few of the free tools available today you’ll be a little more aware of just what’s out there.
Oh and one word of advice on using security scanners, most hosts today employ IPS (intrusion protection servers) or some other network security devices so don’t be surprised if you attempt to scan your live website it becomes unavailable. That could mean one of two things happened, one you crashed your website and have a serious issue or two, the host’s IPS or other network security saw your scans as an attack and has disabled your access to their network. It’s a good idea to scan your application locally of course and should you need to do a remote scan let your host know before hand.
