February 2005 - Posts

Read more on http://support.microsoft.com/kb/886903 and http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx. It's currently under review at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0847.

The Microsoft .NET forms authentication capability allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash).

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

A couple of posts ago I talked about the use of BITS for large downloads. If you want to go one step further and you want to get rid of the command-prompt to do this stuff, you can use the BITS API directly. There is a wrapper available via http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/WinXP_BITS.asp. When you install the MSI, you can retrieve the .NET assembly Microsoft.Msdn.Samples.BITS.dll and import it in your project. The rest is pretty straightforward. Last but not least, IE definitely rocks (no, I don't want any religious debates on the browser choice over here at my blog) thanks to it's extensibility mechanism for the context menu. Let's explain how:

First, create a HTM file with the following content and store it somewhere in a safe location that can be read by IE:

In there, reference to the executable with your BITS-download manager written using the BITS wrapper as explained earlier. It has to take in one command line argument (you know, public void Main(string[] args) with args containing one element) which will get the URL.

Next, add a registry entry for an IE Menu Extension to call the BITS download manager. Over here I show you the output of my regedit dump of that key:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Download using BITS]

Very simple indeed, just reference to the HTML file and set the context to 20 (which enables the context menu on links).

The result looks like this:

And finally, add whatever features you want to your download manager. Remember that you need to check for completed tasks and when a task has completed you need to "close the task" in order to get the file on disk with the correct filename. An idea is to create a system tray application that allows you to start a new download, to monitor existing downloads (you can ask for the downloadstatus of every download), to pause/resume jobs, to cancel jobs and to get a notification when the download has completed. If I ever have some time left... :-)

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

A couple of minutes ago I was connecting to my main machine over here using Terminal Services and I noticed a time difference of 20 minutes with the real GTM+1 clock :-(. The problem is actually that in a DC scenario, the servers synchronize their clocks internally on the network, instead of going out to an NTP server somewhere on the internet. Unfortunately w32tm /resync did not help (of course not, since the NTP service wasn't configured for external NTP-synchronization, so I searched the Microsoft KB for more info on how to configure a DC in Windows Server 2003 to sync with the time.windows.com NTP on the internet. More info can be found over here: http://support.microsoft.com/kb/816042/en-us.

Note: w32tm is another cool Windows command that's relatively unknown. It works together with the W32Time service and allows you to configure various parameters, show stats, query the time service of various computers in the domain and to retrieve timezone information. With commands like these you'll definitely score on your party :-).

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

More Posts « Previous page