Security Vulnerability

Operation must use an updateable query

2013-05-15T12:55:30.507-04:00

hi..

I am using ASP.net 4.0 and MS access 2010 as database.my website was working fine locally.When i hosted it in the web,during insert operation,this error is coming: "Operation must use an updateable query".What should i do to solve this error.I tried to change the permissions in the app_data folder,but alrealy read and write options are given for the user and administrator.Should i login as administrator to solve this issue.Please someone help me..I'm really in trouble.

Is 'allow url include...' a risk?

2013-05-13T01:59:01.747-04:00

I have my web site set up to e-mail me when an error occurs.

I just got an e-mail saying;
A potentially dangerous Request.Form value was detected from the client (="StackTrace

http://(NotMyName).com/default.aspx?-d+allow_url_include=1+-d+auto_prepend_file=php://input

(The querystring is definately NOT anything generated by any of our code....

Some limited web research indicates this is likely a hack attempt. Any suggestions about where I should look for further clues?

We uses the membership provider with asp.net 4.0. EVERY page in the web first checks to be sure the user is authenticated and redirects to the logon page if they are not. Data is in SQL Server, and some is in APP_DATA folder (nothing private is outside of these locations).

Thoughts?

I've to generate random numbers having specified lengths which was not in existing database record

2013-03-19T03:58:58.357-04:00

I've to generate random numbers having specified lengths which was not in existing database record. It means i've to generate those numbers like

9029303930
9494949949
8797979797

before check already we've had those numbers in databse

using C#

How can i Safe my Access Database from possible Hacking /Cracking of Password

2013-04-23T03:43:34.48-04:00

I've online and offline based asp.net applications on c#. I've controlled all applications through access database. What should i do to protect my those access databases.

Is ASP.NET Padding oracle Vulnerability still open on IIS 8 and .NET Framework 4.5

2013-04-24T14:55:34.227-04:00

As per my question title I am wondering if this vulnerability is still open as I am using Acunetix to test my applications and it keeps complaining about the vulnerability. I have implemented all the workarounds I can dig up and it is still complaining about it.

I just want to confirm that this vulnerability is closed before I continue to loose my hair over this.

MaxHttpCollectionKey issue

2013-04-19T17:46:04.61-04:00

Hi,

I am facing an error while page post back which says"Opertaion Invalid due to current state of an object". When I set the value of maxhttpCollectionkey to 5000 it allows some more data rows to be posted back. But after certain number of records it shows the error. I need some dynamic solution to this problem as fixing the value won't solve my problem where data postback is dyanmic. It depends on the user what the amount of data he wants to post.

Please suggest some alternative approach or implementation to this issue.

Regards,

Amit Agrawal

How can I identify that my page is requested by mail link, but not user's browser

2013-04-09T07:03:50.003-04:00

I just want to Prevent users request from mail hyperlink.

for some reason our users copy my whole page and send mail to others. in that copied item some of hyperlinks are available. from the available hyperlinks they can send requst to my website. pls suggest how to avoid this type of request.

html and script tags in forms encoding etc..

2013-04-03T17:52:05.767-04:00

I have a form where any characters are acceptable input. Obviously this leaves me vulnerable to XSS attacks. I know there are a few options such as making sure validaterequest is set to true on my asp.net pages, and/or using the html encode utility. If I do this however I wont be able to get the form to submit since I get the "a dangerous request...." error due to the characters I am allowing to be input. The problem I have is I dont neccesairly want encoded data input into my MSSQL database for a variety of reasons. The main reason is displaying the data and or decoding the data through ad hocs and SRS reports is not easy.

My question is what is the best way to handle the above situation?

HttpOnly cookies setup

2012-01-06T19:41:04.487-05:00

I have an SSL application, i want to marked with secure attribute so that it will only be transmitted if the communications channel with the host is via https. If the secure attribute is not specified an attacker or configration error could potentially cause the cookies to be transmitted over the http, and allowing unauthorized acces to the application.

My question is where in the IIS7 i can alter the configration set the "httponly" attribute on all cookies.

The application does not have "httponly"

Thanks

How to Implement licensing system to my .Net Website

2013-03-14T11:04:09.47-04:00

Hi
All I have created a website and I would like to implement license functionality to my website.[Users must have license to use website]. Does anyone knows any good free lincensing sytem?

Website code will be distributed and installed on diffrent client's servers.

my website is always attacked

2013-03-07T02:29:22.243-05:00

i have website configured to send me emails when it generates and error

i get tons of error messages

<div class="iw ajw">to me </div> <div class="ajy"></div> <div id=":59y">Error in: http://lovenmarry.com/News/viewnews.aspx?id=8 AND 2501=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(118)||CHR(97)||CHR(122)||CHR(58)||(SELECT (CASE WHEN (2501=2501) THEN 1 ELSE 0 END) FROM DUAL)||CHR(58)||CHR(108)||CHR(118)||CHR(112)||CHR(58)||CHR(62))) FROM DUAL). Error Message:Incorrect syntax near the keyword 'AND'. 'CHR' is not a recognized built-in function name. Incorrect syntax near '|'. 117.198.221.215 </div> <div></div> <div>my idea is to set cookie and block that user from surfing my website</div> <div>any ideas?</div>

UnderStand Hacker Attack and site secuirity

2013-03-05T13:55:34.2-05:00

hi every body

i want to understand if any hacker attack to my site.

1-how can i understand the attacker ip and how(which way eg Injection or ..) he attack me?

2-how can i log my event of site and any thing that user do in site?

generally i want to control my site because i m going to build a goverment site that geek user attack it .if any subject help me give it to me(just about site not server).

Get memebrship users from customize query

2013-03-04T08:24:26.143-05:00

I have table called AgencyUsers {AgencyId, UserName}

I want get memebrship user details for given AgencyId.

How can i do that, I use EF

SQL CLR deployment with unsafe permission

2013-01-18T10:28:15.7-05:00

Hi there,

I have two question

1) Deploying SQL CLR with unsafe permission is proper apporch (for ODBC connection & DDTeks required unsafe permission)

2) Some how ,can we deploy SQL CLR with EXTERNAL_ACCESS if I am using ODBC connection or DDTek dll in it

Thanks

Alankar

Generating extremely safe random codes

2013-02-26T06:57:08.827-05:00

Hi pals!

I have a DB and I want to fill it with a string with the size of, for example, 20 including alphabets and numbers. I was wondering if you'd mind telling me which methods/libraries I should use.

Thanks in advance!

My website doesn't work when using vpn software

2013-01-29T06:36:05.07-05:00

hi all forum
after I installed hotspot on my pc, and started to browse my website i found my web browser redirects me to another url and offers me to continue browsing my site if I continue browsing in private mode, but others sites opens directly. My website is hosted on windows server and uses c# language and I use parallel plesk to manage my website hosting. i want to know how can I make my website support private browsing directly without being redirected

How much it is safe to allow access to outside world to access my application

2013-02-22T07:58:11.9-05:00

Hi,

I have application in my LAN Network (Asp.net application with 4 layer architecture).

I want to it to go public to outside world.

How much it safe, wheather it can be hacked.

Kindly guide..

Thanks in advance

asp.net WebForms Ajax Recaptcha .Validate() is always returning false

2013-02-04T20:40:56.643-05:00

I used this exact same technique before and it always worked. For some reason when I'm doing this now the isvalide is always returning false. Can anyone explain this? Any help would be great. Every variation I try still returns a fail.

Thanks!

<%@ Register TagPrefix="recaptcha" Namespace="Recaptcha" Assembly="Recaptcha" %>

<recaptcha:RecaptchaControl ID="recaptcha"
                                                runat="server"
                                                Theme="clean"
                                                PublicKey="public key string"
                                                PrivateKey="private key string"
                                                EnableViewState="true"
                                                /><br />



                    <a href="Javascript:frmOnSubmit();" id="lnkSubmit" runat="server" class="button">Submit</a>

<script type="javascript">


        function frmOnSubmit() {
            var challengeField = $("input#recaptcha_challenge_field").val();
            var responseField = $("input#recaptcha_response_field").val();
            if (responseField.length == 0) {
                alert('* Must enter a value for Verfication.');
            } else {
                var postData = { 'chall': '\'' + challengeField + '\'', 'response': '\'' + responseField + '\'' };
                $.ajax({
                    type: "post"
                    , url: 'ReCaptchaExample.aspx/CheckCaptcha'
                    , data: JSON.stringify(postData)
                    , contentType: "application/json; charset=utf-8"
                    , dataType: "json"
                    , success: function (data, st) {
                        Recaptcha.reload();
                        if (st == "success") {
                            alert(data.d);
                        } else {
                            alert("Not Pass");
                            return false;
                        }
                    }, error: function (data, st) {
                        Recaptcha.reload();
                        $('#lblMessage2').html('* There was an issue with the form.')
                        return false;
                    }
                });
            }
        }


</script>

        [WebMethod]
        public static string CheckCaptcha(string chall, string response) {
            Recaptcha.RecaptchaValidator captchaValidtor = new Recaptcha.RecaptchaValidator {
                PrivateKey = "private key string",             
                RemoteIP = HttpContext.Current.Request.UserHostAddress,
                Challenge = chall,
                Response = response
            };

            Recaptcha.RecaptchaResponse recaptchaResponse = captchaValidtor.Validate(); 
            return (recaptchaResponse.IsValid) ? "pass" : "fail"; 

        }

My website is not responding sometimes.

2013-02-11T14:00:05.533-05:00

My website is not responding sometimes.

After restarting the IIS it will work. What will be the problem. I tried restarting the website itself. but didnt work. Only after IIS restart it works. It is happening now each week. Please tell me any reason.

Not able to access a folder from a web application and able to access it after restarting the machine.

2013-02-05T08:04:02.473-05:00

Hi,

I have a web application. In that we can upload a file to a location in two ways.

1. We have a Fileupload control from which user can upload a file to a location(eg:\\testmachine\share) which is shared to everyone.

2. We also have a automated job, which does this automatically. So when we place the file at a particular file location (eg: \\testmachine2\share2) or FTP , the job will download this file to the shared location (eg:\\testmachine\share).

But sometimes, the user is not able to upload the file using the first scenario. The entire issue is happened on production servers where i dont have any access.

Now i tried to reproduce the same behavior in my local machine and am able to reproduce this scenario. While am working on this i got the trace.Below is the trace.

Access to the path '\\testmachine\share\test.zip' is denied.,,mscorlib, at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode)
at System.Web.HttpPostedFile.SaveAs(String filename)
at System.Web.UI.WebControls.FileUpload.SaveAs(String filename)

Here is the Code:

--------------------------------------------------------------------------------

public static IList<DownloadInfo> Download(XmlDataDocument xDoc)
    {
      List<DownloadInfo> downloadedList = new List<DownloadInfo>();

      WebClient request = new WebClient();

      string user = xDoc.SelectSingleNode("configurationSettings/fileSourceServer").Attributes.GetNamedItem("user").Value;
      string password = xDoc.SelectSingleNode("configurationSettings/fileSourceServer").Attributes.GetNamedItem("password").Value;
      //domain is not used Curretly. This might be useful when UNC is implemented in authenticated mode.
      string domain = xDoc.SelectSingleNode("configurationSettings/fileSourceServer").Attributes.GetNamedItem("domain").Value;

      request.Credentials = new NetworkCredential(user, password);

      FileStream file = null;
      try
      {
        string serverType = xDoc.SelectSingleNode("configurationSettings/fileSourceServer").Attributes.GetNamedItem("type").Value;
        string serverPath = xDoc.SelectSingleNode("configurationSettings/fileSourceServer").Attributes.GetNamedItem("path").Value;
        if (serverType.Equals("ftp"))
        {
          if (!serverPath.ToLower().StartsWith("ftp://"))
          {
            serverPath = "ftp://" + serverPath.Trim();
          }
          else
          {
            serverPath = serverPath.Trim();
          }
          FtpWebRequest fwr = (FtpWebRequest)FtpWebRequest.Create(new Uri(serverPath));
          fwr.Credentials = request.Credentials;
          fwr.Method = WebRequestMethods.Ftp.ListDirectory;
          StreamReader sr = new StreamReader(fwr.GetResponse().GetResponseStream());
          string str = sr.ReadLine();
          while (str != null)
          {
            if (str.ToUpper().EndsWith(".ZIP"))
            {
              DownloadInfo dwnInfo = new DownloadInfo();
              dwnInfo.SourceServerZipFilePath = str;
              downloadedList.Add(dwnInfo);
            }
            str = sr.ReadLine();
          }
          // construct the server path, if file location is provided instead directory location.
          if (downloadedList.Count == 1)
          {
            if (serverPath.EndsWith(downloadedList[0].SourceServerZipFilePath))
            {
              string[] delimiter = { downloadedList[0].SourceServerZipFilePath };
              serverPath = serverPath.Split(delimiter, StringSplitOptions.RemoveEmptyEntries)[0];
            }
          }
          sr.Close();
          sr = null;
          fwr = null;

        }

        else if (serverType.Equals("file"))
        {
          //TODO in authenticated mode.
          if (!serverPath.ToLower().StartsWith(@"\\"))
          {
            serverPath = Path.GetFullPath(@"\\" + serverPath.Trim());
          }
          else
          {
            serverPath = Path.GetFullPath(serverPath.Trim());
          }

          DirectoryInfo dInfo = new DirectoryInfo(serverPath);
          FileInfo fInfo = new FileInfo(serverPath);
          if (dInfo.Exists)
          {
            FileInfo[] filelist = dInfo.GetFiles("*.zip");
            foreach (FileInfo f in filelist)
            {
              DownloadInfo dwnInfo = new DownloadInfo();
              dwnInfo.SourceServerZipFilePath = f.Name;
              downloadedList.Add(dwnInfo);
            }

          }
          else if (fInfo.Exists && fInfo.Extension.ToUpper() == ".ZIP")
          {
            DownloadInfo dwnInfo = new DownloadInfo();
            dwnInfo.SourceServerZipFilePath = fInfo.Name;
            downloadedList.Add(dwnInfo);
            serverPath = fInfo.DirectoryName;
          }
          else if (!dInfo.Exists || !fInfo.Exists)
            Logger.Error(String.Format("{0} is not accessible. Make sure the folder exists and the machine account where the system agent is installed has access to the folder.", serverPath));
        }

        if (downloadedList.Count == 0)
          Logger.Warn(string.Format("{0} does not have a ZIP file. Make sure the folder contains the ZIP file for each dataset.", serverPath));

        //Copy files to destination location (upload folder)
        foreach (DownloadInfo dwnInfo in downloadedList)
        {
          string strFile = dwnInfo.SourceServerZipFilePath;
          DateTime time = new DateTime();
          time = DateTime.Now;
          string date = time.ToString("yyyyMMdd-HHmmss_");

          Uri UriPath = new Uri(serverPath + "/" + strFile);
          byte[] filedata = request.DownloadData(UriPath);
          // create the destination path.
          string destPath = xDoc.SelectSingleNode("configurationSettings/fileDestinationServer").Attributes.GetNamedItem("path").Value;
          destPath = Path.Combine(destPath.Trim(), date + strFile);

          file = File.Create(destPath);
          file.Write(filedata, 0, filedata.Length);
          file.Close();
          file = null;
          //changing source server path to full path. Earlier only file name was assigned.
          dwnInfo.SourceServerZipFilePath = UriPath.OriginalString;
          dwnInfo.DestinationServerZipFilePath = destPath;
          //System.Console.WriteLine(strFile + " - Download Complete.");
        }

        //Extract all the downloded zip files at destination location.
        extractFile(downloadedList);
      }
      catch (Exception ex)
      {
        Logger.Error(String.Format("Exception occured: {0}", ex.Message), ex);
      }
      finally
      {
        if (file != null)
          file.Close();
      }

      return downloadedList;
    }

    private static void extractFile(IList<DownloadInfo> fileList)
    {
      ZipUtils zip = new ZipUtils();

      foreach (DownloadInfo dwnInfo in fileList)
      {
        try
        {
          FileInfo fInfo = new FileInfo(dwnInfo.DestinationServerZipFilePath);
          zip.extract(fInfo.FullName, fInfo.FullName.Replace(fInfo.Extension, ""));
          dwnInfo.DestinationServerUnzipFilePath = fInfo.FullName.Replace(fInfo.Extension, "");
        }
        catch (Exception ex)
        {
          Logger.Error(String.Format("Exception occured during extracting {0}", dwnInfo.SourceServerZipFilePath), ex);
        }
      }
    }

---------------------------------------------------------------------------------------------------------------------------

But when i restarted the machine in which the shared folder exists, am no more getting the issue.

Can any one please help me on to fix this and also its good to reproduce the issue.

Thanks,

Vinay.