Pages

Wednesday, September 29, 2010

Tech Matrix 2 :: Technical Sessions & Loads of Gifts...

Thundering Brain storming technical sessions with stage set to go…

It’s a get-to-gether of Hyderabadtechies..

What do I win if I attend this event .............???

One or more gifts in this mega List

  • Dual Cam Dual Sim Ipod Phone ( Dont keep more expectations its China Made)
  • 10 .Net Ninja /Telerik T Shirts ( Prove as a perfect Geek)
  • 10 Orielly Discount Coupons ( Njoy the special Discount)
  • 10 Mini Mementos (Feel Proud to keep it on your desk)
  • 10 Mini Mobile Recharge Vouchers ( 10 rs - 100 rs)
  • 10 pens ( likhthe likthe......)
  • 10 Kit .................cats ( kawo jawo)
  • 10 Hyderabadtechies points coupons ( 10000 points to reach Hall of fame)
  • Every one will get a participation certificate PDF
  • Every one will get 3 Vouchers for Tech Class Rooms
  • Every one will get 3 Vouchers for Mock Interviews
  • Special Gifts ..... coming soon....

All multi-talented techies under one roof. Assuring that you will return with a wonderful experience.

Wondering What’s this all about?

Hyderabad Techies has successfully organized first offline event i.e., Tech Matrix. Here again going to launch second phase i.e., Tech Matrix2. Putting all efforts to make it a grand success which is possible only with all your co-operation. We know how valuable your time is.. So we are coming up with a schedule which can add incredible value to your time.

TECH MATRIX2

The Technical boon.. Offline sessions from Hyderabad Techies.. Lets meet at one place to share and gain knowledge..

Agenda

OCTOBER 9th Saturday


9:30 AM - 10.00 AM - Open Registrations / Peer networking

10.00 AM - 10.45AM- Cloud Computing/Windows Azure

By Mukul (Microsoft)


10.45 AM - 11. 30 AM- Developing Ensuring the Quality Code with VSTS 2010

By Mr. Durga Rao (eCanarys)


11.30 AM - 11.45 AM - Tea + Snacks
11.45 AM- 12.00 PM - Prize Distribution


12.00 PM - 12.40 PM –MOSS 2010

By Tanveer Fatma (Microsoft)


12.45 PM - 1. 30 PM - .Net apps/Telerik Controls

By Surender (HCL/Microsoft)


1.30 PM - 2.00 PM - Lunch followed by Closing Note

:: Group Photo ::

To know more about TechMatrix2 contact admin@hyderabadtechies.info or chandrashekarthota@gmail.com

Feel free to contact

Mr. ChandraShekarThota @ +91 – 8801094253
or
Chakravarthy in case you face any issue finding out venue.



Please Use this opportunity and attend the session to learn about new things..


Thanks

Anil Kumar Pandey


Monday, September 20, 2010

Important: ASP.NET Security Vulnerability

A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.

This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

How to Workaround The Vulnerability

A workaround you can use to prevent this vulnerability is to enable the feature of ASP.NET, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.

Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the “defaultRedirect” attribute on the section and ensure that no per-status codes are set.

Enabling the Workaround on ASP.NET V1.0 to V3.5

If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the section of the web.config file to have the below settings:

<configuration>             <system.web>        <customErrors mode="On" defaultRedirect="~/error.html" />     system.web>          configuration>

3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

Notes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no sub-elements within the section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable and map all errors to a single error page:

1) Edit your ASP.NET Application’s root Web.Config file. If the file doesn’t exist, then create one in the root directory of the application.

2) Create or modify the section of the web.config file to have the below settings. Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:

<configuration>     <system.web>       <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />     system.web>  configuration>

3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.

VB Version

Below is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:

<%@ Page Language="VB" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %>          <span class="kwrd" style="color: rgb(0, 0, 255); ">Error</span>       
Sorry - an error occured

C# Version

Below is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:

<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %>          Error       
An error occurred while processing your request.

How to Verify if the Workaround is Enabled

Once you have applied the above workaround, you can test to make sure the section is correctly configured by requesting a URL like this from your site:http://mysite.com/pagethatdoesnotexist.aspx

If you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly. If you see a standard ASP.NET error then it is likely that you missed one of the steps above. To see more information about what might be the cause of the problem, you can try setting – which will enable you to see the error message if you are connecting to the site from a local browser.

How to Find Vulnerable ASP.NET Applications on Your Web Server

We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have turned off, or which differentiate error messages depending on status codes.

You can download the .vbs script here. Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk. Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server. It will enumerate all of the applications within your web server and verify that the correct configuration has been specified.

command[1]

It will flag any application where it finds that an application’s web.config file doesn’t have the section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it). It will print “ok” for each application web.config file it finds that is fine. This should hopefully make it easier to locate issues.

Note: We have developed this detection script over the last few hours, and will be refining it further in the future. I will post an update in this section each time we make a change to it.

How to Find More Information about this Vulnerability

You can learn more about this vulnerability from:

Forum for Questions

We have setup a dedicated forum on the www.asp.net site to help answer questions about this vulnerability.

Post questions here to ask questions and get help about this vulnerability.

Summary

We will post more details as we learn more, and will also be releasing a patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).

Until then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.

Thanks,


Anil Kumar Pandey

Monday, September 13, 2010

Here You Have' Mass Mailing Worm Spreading

Hello All,

A new kind of WORM/VIRUS is spreading, please be aware of the same. Below are the details about that please check this.

Have you received a mail recently that had the subject - 'Here you Have'? It may be a virus/ worm.

There is a new mass mailing worm out it in the wild and it is sending emails with topic - "Here You Have" or "Just For You". In addition, this also spreads via drives C: through H:. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chances of user clicking on it. Once the client system is infected, Win32/Visal.B uses MAPI to perform a mass mailing to all contacts that it finds on the system. Unfortunately, in a corporate environment the target audience may be extensive. As more machines on a corporate network are infected, more and more email is sent around on the local network, which can cause mail server performance degradation.

Also, once inside a corporate/ home network, it spreads by finding any accessible computer in the network, and copies itself as "N73.Image12.03.2009.JPG.scr" to drives C: to H: of the target computer. The worm creates an autorun configuration file named "autorun.inf" to run the worm copy when the drive is accessed and Autorun is enabled.

A sample email that you may receive looks like:

Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,

---------------------------------------------------------------------------

Microsoft is calling the worm: Worm:Win32/Visal.B. The worm does not leverage a vulnerability in a specific product, but rather, uses a social engineering technique called URL obfuscation to trick a user to launch a malicious SCR file.

An extensive summary of the worm can be found at the Microsoft Malware Protection Center Technical Summary:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B

If you would like to stay safe from this, please don't click on links sent by unknown people are mails that have above structure. Microsoft has already updated their antimalware signatures and you are protected if you are running Windows Defender or Windows Security Essentials.


The complete article can be read from here... "MERA WINDOWS"


Thanks,

Anil Kumar Pandey

MVP Visual c#

Wednesday, September 8, 2010

Data Binding Directions in WPF

Hello All,
As you all know that binding in WPF is simple with the help of "Binding" keyword we can bind the Item to any data source. For binding there must be 2 thing "Source" & "Target", The target can be any any Control or Property derived from DependencyProperty and the Source can be any of the following

  • Public Property of a control
  • CLR(Common Language Runtime) Object
  • XML Element
  • A Dataset
  • and the Static Resource
Text="{Binding ElementName=lbSource}"

Here I am going to discuss the various data binding direction available in the WPF. There are 4 different kind of binding Direction are available we can use them according to our need the various binding directions are.

  1. OneWay
  2. OneWayToSource
  3. OneTime
  4. TwoWay
OneWay :- The most common and the first direction used in the WPF data binding is OneWay. this is the default binding direction which does not need to be specified, in this direction the data always flow from Source to target. The TEXT property of the textblock default binding is OneWay. This is useful when we just want to display the result to the users.


OneWayToSource :- This is also similar to the OneWay binding but the main difference between them is , when we use the OneWayToSource direction the data flows from Target to Source. This can be useful when we want that a user can change the value in the back end.

OneTime :- OneTime property is also similar to the OneWay binding direction, but the thing is that using this option the change in the source not always reflect to the target, the target get updated only when the application load or there is a context change. This is pretty useful when we want to display a user a ReadOnly type of value which does not get change each time.

TwoWay :- This is the useful binding direction in the WPF, when we want that the value can be changed from either side. Here the changes get reflected each time a source value is changed or the target value is changed. This can be quite useful when we want to display the value to the user as well as allow user to change the the value in the back end.

Hope you all have understood waht all are the data binding direction in the WPF, as I always says thing are not complex until we know them. Here are examples for using the binding.

<StackPanel>
<TextBlock Width="248" Height="24" Text="Colors:"
TextWrapping="Wrap"/>
<ListBox x:Name="lbSource" Width="248" Height="56">
<ListBoxItem Content="Blue"/>
<ListBoxItem Content="Green"/>
<ListBoxItem Content="Yellow"/>
</ListBox>

<TextBlock Width="100" Height="30" Text="You selected color:" />

<TextBlock Width="100" Height="30">
<TextBlock.Text>
<Binding ElementName="lbSource" Path="SelectedItem.Content"/>
</TextBlock.Text>
</TextBlock>
</StackPanel>



I hope this post will help in understanding the things of bindings in WPF. Please feel free to post the comments.

Thanks
Anil Kumar Pandey
MVP (Visual c#)

Friday, September 3, 2010

Create a Modal Popup using the Ajax Modal Popup Extender

Hello All,
Here is the sample application for creating a MODAL POPUP for this I am going to use the Ajax ModalPopupExtender control. Before using this you must ensure that the Ajax control tool kit in install in the machine Or make a reference for the AjaxControlToolkit.dll in the application.

Make use of a ScriptManager control in the page is mandatory , so make sure you have used the Script manager control inside the page, If you are using a MASTERPAGE place this Script Manger tag inside the master page. it will be like..

<asp:ScriptManager ID="ScriptManager1" runat="server">
asp
:ScriptManager>

Now place the controls inside a PANEL or a DIV which you want to display like the modal pop up and you can also set the background of the panel or the DIV. for example I am using the Login controls as a PopUp

<tr>
<td>
<asp:Label ID="Label1" runat="server" Text="Enter userName:-" ForeColor="White">asp:Label>
td>
<td>
<asp:TextBox ID="txtname" runat="server" Text="">asp:TextBox>
td>
tr>
<tr>
<td>
<asp:Label ID="Label2" runat="server" Text="Enter Password:-" ForeColor="White" >asp:Label>
td>
<td>
<asp:TextBox ID="txtPass" runat="server" Text="">asp:TextBox>
td>
tr>

In order to make use of the Ajax control what you have to do is make reference of the Ajax DLL in the application. And the page in which you are going to use the control REGISTER the control like this, to provide a control prefix name.

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="ajaxtoolkit" %>

After that you need to make use of the ModalPopupExtender control like this...

<ajaxtoolkit:modalpopupextender backgroundcssclass="modalBackground" dropshadow="False"
okcontrolid
="btnOk" cancelcontrolid="btnClose" runat="server" popupcontrolid="Panel1"
id
="ModalPopupExtender1" targetcontrolid="btnPOPUP" />

Here Every Property has Its Mening..

1. backgroundcssclass -- Defines the CSS used for the popup.
2. dropshadow -- Used to set the Shadow Effect, the popup area will become like a Shadow
3. okcontrolid -- Used to set the Ok control or submit control for popup
4. cancelcontrolid -- Used to set the Cancel control for popup
5. popupcontrolid -- Defines the Panle or DIV which will be display like popup.
6. id -- Define the Id of the extender control
7. targetcontrolid -- This defines the control by whihc the pop up will be invoked.


I hope you understood the property and how to use the control, Below are the actual file for the sample application..

Master Page File.

lt;%@ Master Language=&quot;C#&quot; AutoEventWireup=&quot;true&quot; CodeFile=&quot;Site.master.cs&quot; Inherits=&quot;SiteMaster&quot; %&gt;

&lt;!DOCTYPE html PUBLIC &quot;-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
&lt;html xmlns=&quot;http://www.w3.org/1999/xhtml" xml:lang="en">
&lt;head runat=&quot;server&quot;&gt;

&lt;style type=&quot;text/css&quot;&gt;
.
modalBackground {
background-color
:#414141;
filter
:alpha(opacity=70);
opacity
:0.7;
}
&lt;/style&gt;
&lt;title&gt;&lt;/title&gt;
&lt;link href=&quot;~/Styles/Site.css&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot; /&gt;
&lt;asp:ContentPlaceHolder ID=&quot;HeadContent&quot; runat=&quot;server&quot;&gt;
&lt;/asp:ContentPlaceHolder&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form runat=&quot;server&quot;&gt;
&lt;asp:ScriptManager ID=&quot;ScriptManager1&quot; runat=&quot;server&quot;&gt;
&lt;/asp:ScriptManager&gt;
&lt;div class=&quot;page&quot;&gt;
&lt;div class=&quot;header&quot;&gt;
&lt;div class=&quot;title&quot;&gt;
&lt;h1&gt;
My ASP.
NET Application
&lt;/h1&gt;
&lt;/div&gt;
&lt;div class=&quot;loginDisplay&quot;&gt;
&lt;asp:LoginView ID=&quot;HeadLoginView&quot; runat=&quot;server&quot; EnableViewState=&quot;false&quot;&gt;
&lt;AnonymousTemplate&gt;
[ &lt;a href=&quot;~/Account/Login.aspx&quot; ID=&quot;HeadLoginStatus&quot; runat=&quot;server&quot;&gt;Log In&lt;/a&gt; ]
&lt;/AnonymousTemplate&gt;
&lt;LoggedInTemplate&gt;
Welcome
&lt;span class=&quot;bold&quot;&gt;&lt;asp:LoginName ID=&quot;HeadLoginName&quot; runat=&quot;server&quot; /&gt;&lt;/span&gt;!
[ &lt;asp:LoginStatus ID=&quot;HeadLoginStatus&quot; runat=&quot;server&quot; LogoutAction=&quot;Redirect&quot; LogoutText=&quot;Log Out&quot; LogoutPageUrl=&quot;~/&quot;/&gt; ]
&lt;/LoggedInTemplate&gt;
&lt;/asp:LoginView&gt;
&lt;/div&gt;
&lt;div class=&quot;clear hideSkiplink&quot;&gt;
&lt;asp:Menu ID=&quot;NavigationMenu&quot; runat=&quot;server&quot; CssClass=&quot;menu&quot; EnableViewState=&quot;false&quot; IncludeStyleBlock=&quot;false&quot; Orientation=&quot;Horizontal&quot;&gt;
&lt;Items&gt;
&lt;asp:MenuItem NavigateUrl=&quot;~/Default.aspx&quot; Text=&quot;Home&quot;/&gt;
&lt;asp:MenuItem NavigateUrl=&quot;~/About.aspx&quot; Text=&quot;About&quot;/&gt;
&lt;/Items&gt;
&lt;/asp:Menu&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class=&quot;main&quot;&gt;
&lt;asp:ContentPlaceHolder ID=&quot;MainContent&quot; runat=&quot;server&quot;/&gt;
&lt;/div&gt;
&lt;div class=&quot;clear&quot;&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class=&quot;footer&quot;&gt;

&lt;/div&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

The Default.aspx file code.

&lt;%@ Page Title=&quot;Home Page&quot; Language=&quot;C#&quot; MasterPageFile=&quot;~/Site.master&quot; AutoEventWireup=&quot;true&quot;
CodeFile
=&quot;Default.aspx.cs&quot; Inherits=&quot;_Default&quot; %&gt;
&lt;%@ Register Assembly=&quot;AjaxControlToolkit&quot; Namespace=&quot;AjaxControlToolkit&quot; TagPrefix=&quot;ajaxtoolkit&quot; %&gt;

&lt;asp:Content ID=&quot;HeaderContent&quot; runat=&quot;server&quot; ContentPlaceHolderID=&quot;HeadContent&quot;&gt;
&lt;/asp:Content&gt;
&lt;asp:Content ID=&quot;BodyContent&quot; runat=&quot;server&quot; ContentPlaceHolderID=&quot;MainContent&quot;&gt;
&lt;asp:Button ID=&quot;btnPOPUP&quot; runat=&quot;server&quot; Text=&quot;Display PopUp&quot; /&gt;
&lt;ajaxtoolkit:modalpopupextender backgroundcssclass=&quot;modalBackground&quot; dropshadow=&quot;False&quot;
okcontrolid
=&quot;btnOk&quot; cancelcontrolid=&quot;btnClose&quot; runat=&quot;server&quot; popupcontrolid=&quot;Panel1&quot;
id
=&quot;ModalPopupExtender1&quot; targetcontrolid=&quot;btnPOPUP&quot; /&gt;
&lt;asp:Panel ID=&quot;Panel1&quot; runat=&quot;server&quot; CssClass=&quot;modalPopup&quot; Style=&quot;display: none;&quot;&gt;
&lt;table&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;asp:Label ID=&quot;Label1&quot; runat=&quot;server&quot; Text=&quot;Enter userName:-&quot; ForeColor=&quot;White&quot;&gt;&lt;/asp:Label&gt;
&lt;/td&gt;
&lt;td&gt;
&lt;asp:TextBox ID=&quot;txtname&quot; runat=&quot;server&quot; Text=&quot;&quot;&gt;&lt;/asp:TextBox&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;asp:Label ID=&quot;Label2&quot; runat=&quot;server&quot; Text=&quot;Enter Password:-&quot; ForeColor=&quot;White&quot; &gt;&lt;/asp:Label&gt;
&lt;/td&gt;
&lt;td&gt;
&lt;asp:TextBox ID=&quot;txtPass&quot; runat=&quot;server&quot; Text=&quot;&quot;&gt;&lt;/asp:TextBox&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;asp:Button ID=&quot;btnOk&quot; runat=&quot;server&quot; Text=&quot;Ok&quot; /&gt;
&lt;/td&gt;
&lt;td&gt;
&lt;asp:Button ID=&quot;btnClose&quot; runat=&quot;server&quot; Text=&quot;Close Me&quot; /&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;/asp:Panel&gt;
&lt;/asp:Content&gt;

Now please take a look of the output of the application.

First Screen



Second Screen




Please Decode the files using a HTML DECODER (http://centricle.com/tools/html-entities/) to get the actual file. Hope you have like this article, Please feel free to post your ideas and the comments.

Yours,

Anil Kumar Pandey

Kontera