...is 181 SPAM-mails in my inbox...

Man, I am really important!

It gets worse and worse: As Lorenzo Barbieri states in is weblog (http://weblogs.asp.net/lbarbieri/archive/2004/10/02/237049.aspx), the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!

If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.

To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!

Additional resources:

• URLScan: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
• IIS Lockdown tool: http://www.microsoft.com/technet/security/tools/locktool.mspx

A major ASP.NET Forms Authentication vulnerability has been found! In short: When you secure sub-directories using Forms Authentication, you'll usually define this in your web.config. If you use IE to access a sub-directory - for example http://localhost/site/secure/default.aspx - you'll be redirected to the defined login page. This will also happen, when you have a typo - say: http://localhost/site/secure\default.aspx (note the backslash). But - and this is the bug - it wont happen with Mozilla Firefox or other browsers. When you try to access a secured directory using this browsers and the malicious url, you'll be able to access the directory. Without any Authentication. This is serious!

IE is not affected, because it rewrites the url before sending the request to the server. If you type the malicious url in a different way - say:  http://localhost/site/secure%5Cdefault.aspx - it will be behave as the other browsers.

Affected systems: Every Windows before Windows 2003 with an installed .NET framework. Because in IIS6 (which is shipped with Windows 2003) Microsoft has rewritten the parser responsible for doing path normalization.

Solution: Install URLScan and run the IIS Lockdown Tool.

More information:

• http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0409&L=ntbugtraq&F=P&S=&P=9884
• http://silverstr.ufies.org/blog/archives/000702.html
• http://www.leastprivilege.com/PermaLink.aspx?guid=dc18954a-f2e8-4d30-b879-40df383aba4d
• http://sourceforge.net/mailarchive/message.php?msg_id=9678578

...but I was quite busy: I wrote my very first Java book. And I worked a lot. And I finally bought a new laptop - it is an IBM ThinkPad R50p, which I don't want to miss anymore... :-)

Now I need your help: I own a Dell Inspiron 8200, which is okay for my work. But there is one thing that drives me crazy: It is noisy! The cooler's always running and it is loud enough to be heard from the other side of the room. :-(

So, I need your recommendations for the successor of my noisy dell: It will need to have a Pentium-M-processor, the Centrino-certificate, a 1400x1050 or 1600x1200 (or something in between) 15.x" display, a seperate graphics-adaptor (ATI Rage 9x00 or some NVidia device), some 40+ gig harddisk, dvd burner and at least 1gb of ram. And, most of all, it should be quit!

Until now, I was looking at Dell's Inspiron 8600c and at IBM's ThinkPad R51. If you know better / similiar units or if you're using one of the devices, I'd appreciate your info! :-)

Read it once, read it twice and still find it very useful: http://msdn.microsoft.com/msdnmag/issues/03/06/XMLFiles/

This mail just dropped in:

--- SCHNIPP ---

Our records indicate you recently downloaded Visual C# 2005 Express Beta 1 and/or Visual C++ 2005 Express Beta 1 from MSDN Subscriber Downloads at http://msdn.microsoft.com/subscriptions/downloads. Unfortunately these two files were incorrectly named: the Visual C# download was actually Visual C++ and vice versa. The file names have since been corrected.

You can verify the correct files by their file size:

Visual C++ (en_vc_2005_express_beta1.iso): 297.57 MB (312,027,136 bytes)

Visual C# (en_vcs_2005_express_beta1.iso): 261.03 MB (273,704,960 bytes)

We apologize for any inconvenience this may have caused.

--- SCHNAPP ---

And I was wondering about the odd new C# syntax... :-)