[karsten samaschke]

Today's SPAM count

2005-01-29T01:12:00Z

...is 181 SPAM-mails in my inbox...

Man, I am really important!

Bug in CommunityServer::Forums 2.0.1 fixed

2005-01-26T00:09:00Z

After playing a while with the current version of Telligent's Community Server :: Forums 2.0.1, I found a real work-around for its annoying moderation bug in the administration. The complete solution is posted here:

http://weblog.ksamaschke.de/PermaLink,guid,26003bf3-0e04-497c-bca7-290e4bd66569.aspx

:-)

ASP.NET Forms vulnerability does not only affect Forms Authentication!

2004-10-02T21:20:00Z

It gets worse and worse: As Lorenzo Barbieri states in is weblog (http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx), the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!

If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.

To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!

Additional resources:

URLScan: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
IIS Lockdown tool: http://www.microsoft.com/technet/security/tools/locktool.mspx

Major ASP.NET Forms Authentication vulnerability found!

2004-10-02T20:12:00Z

A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http://localhost/site/secure/default.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http://localhost/site/secure\default.aspx (note the backslash). But - and this is the bug - it wont happen with Mozilla Firefox or other browsers. When you try to access a secured directory using this browsers and the malicious url, you'll be able to access the directory. Without any Authentication. This is serious!

IE is not affected, because it rewrites the url before sending the request to the server. If you type the malicious url in a different way - say: http://localhost/site/secure%5Cdefault.aspx - it will be behave as the other browsers.

Affected systems: Every Windows before Windows 2003 with an installed .NET framework. Because in IIS6 (which is shipped with Windows 2003) Microsoft has rewritten the parser responsible for doing path normalization.

Solution: Install URLScan and run the IIS Lockdown Tool.

More information:

Got my 4th MVP award!

2004-10-02T19:54:00Z

Two days ago I was informed about my fourth MVP award. I'm really proud of this and I want to thank Microsoft for this. And I will continue to do community work. This is a promise!

Having been off for nearly four months...

2004-10-02T19:52:00Z

...but I was quite busy: I wrote my very first Java book. And I worked a lot. And I finally bought a new laptop - it is an IBM ThinkPad R50p, which I don't want to miss anymore... :-)

Help: Looking for a quit Centrino!

2004-07-12T21:26:00Z

Now I need your help: I own a Dell Inspiron 8200, which is okay for my work. But there is one thing that drives me crazy: It is noisy! The cooler's always running and it is loud enough to be heard from the other side of the room. :-(

So, I need your recommendations for the successor of my noisy dell: It will need to have a Pentium-M-processor, the Centrino-certificate, a 1400x1050 or 1600x1200 (or something in between) 15.x" display, a seperate graphics-adaptor (ATI Rage 9x00 or some NVidia device), some 40+ gig harddisk, dvd burner and at least 1gb of ram. And, most of all, it should be quit!

Until now, I was looking at Dell's Inspiron 8600c and at IBM's ThinkPad R51. If you know better / similiar units or if you're using one of the devices, I'd appreciate your info! :-)

Useful article on XML-Serialization

2004-07-12T21:18:00Z

Read it once, read it twice and still find it very useful: http://msdn.microsoft.com/msdnmag/issues/03/06/XMLFiles/

Funny one: Files named incorrectly at MSDN Subscriber Downloads

2004-07-07T04:25:00Z

This mail just dropped in:

--- SCHNIPP ---

Our records indicate you recently downloaded Visual C# 2005 Express Beta 1 and/or Visual C++ 2005 Express Beta 1 from MSDN Subscriber Downloads at http://msdn.microsoft.com/subscriptions/downloads. Unfortunately these two files were incorrectly named: the Visual C# download was actually Visual C++ and vice versa. The file names have since been corrected.

You can verify the correct files by their file size:

Visual C++ (en_vc_2005_express_beta1.iso): 297.57 MB (312,027,136 bytes)

Visual C# (en_vcs_2005_express_beta1.iso): 261.03 MB (273,704,960 bytes)

We apologize for any inconvenience this may have caused.

--- SCHNAPP ---

And I was wondering about the odd new C# syntax... :-)

Is Microsoft going to drop C#?

2004-07-05T11:24:00Z

As Hannes Preishuber reports in his weblog, MS is going to drop C#. It sounds like a joke. Or is it serious? Ask Hannes, if you want to know more... :-)