Tag Archives: C#

Mono 2.8 is Released.

The Mono developers have released Mono 2.8, a major update to the implementation of Microsoft’s .NET technology for Linux and other platforms.Mono 2.8 Released\r\n\r\nMiguel de Icaza, project lead, said in his blog that the release “contains ten months worth of new features, stability fixes, performance work and bug fixes”. The Mono C# compiler is now a complete implementation of the C# 4.0 specification and defaults to operating as a 4.0 based platform.\r\n\r\nA new Generational GC (Garbage collector) offers better performance for applications which consume and reuse large amounts of memory; benchmarkingshows CPU use is now much more predictable. Support for LLVM has now been marked as stable with a mono-llvm command allowing server applications to run with an LLVM back end, potentially offering greater performance; JIT compilation with LLVM is described as “very slow” in the release notes and therefore only currently suits long-lived server processes.\r\n\r\nOther changes include the incorporation of a range of new frameworks; the Parallel Framework and System.XAML are new to the core of Mono, while Microsoft’s open sourced frameworks (System.Dynamic, Managed Extensibility Framework, ASP.NET MVC 2 and the OData client framework System.Data.Services.Client) are bundled with Mono. Support for OpenBSD has also been incorporated into the release.\r\n\r\nMono 2.8 is not a long term support release as the updates have “not received as much testing as they should”; Mono 3.0 will be the next long term supported release and users wanting the “absolute stability” of a thoroughly tested version are recommended to use Mono 2.6. Information on other new features and details of removed libraries are available in the release notes. Mono 2.8 is available to download for Windows, Mac OS X, openSUSE, Novell Linux Enterprise Desktop and Server, Red Hat Enterprise Linux and CentOS and other Linux systems and is licensed under a combination of open source licences.

ASP.NET Security Vulnerability Workaround

Update on ASP.NET Vulnerability

\r\n Earlier this week We posted about an ASP.NET Vulnerability.\r\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\r\n \r\n\r\nRevised Workaround and Additional URLScan Step\r\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\r\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\r\n \r\n\r\nInstall and Enable IIS URLScan with a Custom Rule\r\n\r\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\r\n\r\n \r\n

\r\nIt takes less than a minute to install on your server.\r\n \r\n\r\nAdd an Addition URL Scan Rule\r\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:\r\n

%windir%\system32\inetsrv\urlscan\UrlScan.ini

\r\nNear the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:\r\n\r\n \r\n

[DenyQueryStringSequences]\r\naspxerrorpath=

\r\nThe above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.\r\nAfter saving this change:\r\n\r\n

run “iisreset”\r\nfrom a command prompt (elevated as admin\r\n

\r\nFor the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.\r\n URL Scan Summary\r\nIf you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.\r\nOur team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.\r\nOnce we release the security update, you will no longer need to implement any workaround steps.\r\n\r\nThe alternative option: Using IIS request filtering:\r\nThese instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.\r\n1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.\r\n2. Launch Internet Information Services (IIS) Manager.\r\n3. Select the server node in the left pane.\r\n4. Double-click Request Filtering.\r\n5. Select the Query Strings tab and click Deny Query String … in the Actions pane.\r\n6. Enter aspxerrorpath= in the dialog box and select OK.\r\n\r\nAlternatively, you can also use the following appcmd command to set this request querystring:\r\n

appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence=’aspxerrorpath=’]

\r\nFor more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.\r\n\r\nConfigure ASP.Net applications to use uniform custom errors\r\nIn the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.\r\nIf the ASP.NET application does not have a web.config file:\r\n\r\nOn .NET Framework 3.5 and earlier\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx\r\n\r\nfile:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif (disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title> </title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request.     </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\nprng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd IfEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div>  An error occurred while processing your request.  </div>\r\n</body>\r\n</html>

\r\nIf the ASP.NET application already has a web.config file:\r\n\r\nOn .NET Framework 3.5 RTM and earlier\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> …  </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n]\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.\r\n3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> … </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>]\r\n</configuration>\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif\r\n(disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New  RNGCryptoServiceProvider()       prng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd If\r\nEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\nImpact of Workaround:\r\nIf an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.\r\n\r\nYou can learn more about this vulnerability and the workaround from:\r\n\r\n