Plip's Weblog

Phil Winstanley - British .NET chap based in Lancashire. Enjoys tea and tech. Working for Microsoft.

October 2004 - Posts

Preparing for ASP.NET 2.0


Firstly, let me thank those of you that attended the session on Wednesday, I really enjoyed giving the session and hope you got something worth while out of it, for those of you that didn't attend - shame on you ;-)

I would like to say I really appreciated everyone's patience with Visual Studio blowing up several times, all I can say is sorry and point at Microsoft ;-)

I want to again thank Alphameric for hosting the sessions each month and donating the room and time - without them it would not be possible to provide the .NET Exchange user group in Manchester.

If anyone has any comments or questions regarding the talk or any other topic you believe I may be of help in, please get in touch, I'd love to get your feedback :-) Just drop me a mail to

So here are some links to the slide deck and some other resources I mentioned on the night.

ASP.NET 1.x Security Vulnerability & Patches

Microsoft Web Developers UK

Slide Deck (1.23 mb) The slide deck was originally written by Microsoft and I adapted it to suit my own needs.

Plipster.NET the ASP.NET 2.0 site used throughout the presentation and one of only a few publicly hosted ASP.NET 2.0 Sites

Breaking Changes to all versions of the .NET Framework

ASP.NET Version Switcher

.NET Reflector (Decompilation tool)

Partial Classes in .NET 2.0

ASP.NET 2.0 Compilation

Open Source Error Reporting, if you find any problems let me know

MSDN Feedback Centre

.NET 2.0 SDK

ASP.NET 1.x Master Pages Implementation

List of new Page level events in ASP.NET 2.0

Creating Asynchronous pages in ASP.NET 2.0

Creating Asynchronous pages in ASP.NET 1.x

.NET 2.0 Provider Specification

Microsoft ASP.NET MVP

ASP Insider

ASP Advice Moderator

Portfolio Europe

Phil Winstanley's Blog

Phil Winstanley's Personal Site


Posted: Oct 21 2004, 09:40 PM by Plip | with 4 comment(s)
Filed under: ,
Windows XP Media Center Edition 2005 & Deamon Tools

Here's a quick warning for everyone, I just tried to upgrade my Media Center 2004 machine to 2005, it wanred me half way through the upgrade that it could not find the drivers for a "Mass Storage Device" but didn't give me the option to pause the installation.

I'm pretty sure this was Deamon tools as now the machine won't boot (even in safe mode) it gets to loading d346.sys and then blue screens (I can't see what it says as it immediatly reboots).

Time to format and give the machine a clean install



Posted: Oct 14 2004, 06:44 PM by Plip | with 4 comment(s)
Filed under:
ASP.NET Authentication Vulnerability

A note from the Microsoft ASP.NET Team:

This alert is to advise you of the availability of a web page that discusses an investigation Microsoft is currently conducting into public reports of a security vulnerability in ASP.NET.  A malicious user could provide a specially-formed URL that could result in the unintended serving of secured content. 

This alert is also to advise you of the availability of a new Microsoft Knowledge Base article: 887459.  This article contains prescriptive guidance with steps customers can implement on their ASP.NET applications to help protect against a wide variety of malformed URL attacks.

Microsoft is providing this prescriptive guidance in order to inform customers as quickly as possible about the vulnerability and information on how to prevent an attack.  Microsoft is actively investigating this issue and plans to release additional guidance and a security update to remedy the issue as soon as possible.

The Microsoft Knowledge Base article can be viewed here:

Code sample

The following samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. The event handler helps protect against invalid characters and malformed URLs by performing path verifications to help protect against common canonicalization issues.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server"> Sub Application_BeginRequest(Sender as Object, E as EventArgs) If (Request.Path.IndexOf(chr(92)) >= 0 OR _ System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then Throw New HttpException(404, "Not Found") End If End Sub </script> 

Global.asax code sample ( C#)

<script language="C#" runat="server"> void Application_BeginRequest(object source, EventArgs e) { if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, "not found"); } } </script> 

The web page that discusses the current investigation into the public reports of a vulnerability in ASP.Net can be viewed here:

If you have any questions, please see the discussion in the ASP.NET Security Forums at:


Posted: Oct 06 2004, 07:46 AM by Plip | with no comments
Filed under: , ,
More Posts