dougv.com « Doug Vanderweide

Last weekend was New England GiveCamp 2011, in which 100+ developers, designers and other volunteers gathered to donate time and skills to some 30 charities who needed IT help.

This year, I was project lead for Alex’s Team Foundation, based in Andover, Mass. Our team was Saurabh Moondhra and William Wade, both experienced ASP.NET developers.

Alex’s Team Foundation, named after 16-year-old Alex Miliotis, who passed away from leukemia in 2002, raises money to support nurses and other oncology professionals, and supports youth sports. The foundation is largely the labors of Patti Rae Miliotis, Alex’s mother, and a handful of reliable volunteers. Like every small nonprofit, Alex’s Team doesn’t have a lot of money.

From the right to left: William Wade, Doug Vanderweide, Saurabh Moondhra and Patti Rae Miliotis of Alex's Team Foundation. The lady with her feet up is Deanna Lohnes, who worked on another project; the woman in green, whose name I do not know, was her charity's contact person.

Like every other leader of a small nonprofit, Patti is pulled in a lot of different directions and has all she can do to keep track of the people with whom she comes in contact, nonetheless all the donations she gets. Patti also hosts a few events every year. She basically needs a way to keep track of who attends those events or otherwise supports her organization, and to mail merge thank-you notes.

So that was the project I led this weekend: Converting a bunch of data stored in (of course!) Excel spreadsheets into a more relational database, with the ability to export that data in order to mail merge thank-you and fundraising letters.

Continue reading: New England GiveCamp 2011: What A Weekend! »

There are a couple of ways to create an RSS feed from a SQL database store. Over at 4GuysFromRolla.com, there’s a post explaining how to create an RSS feed using a regular old ASP.NET Web Form.

Another option would be to write a script that creates an actual XML file on some periodic basis (probably just before the recommended “time to live” setting of the feed). The benefit of that is, one taxes the database server a little every now and then, and a “real” XML file does the work.

But as a rule, for ASP.NET applications, Microsoft recommends using HTTP handlers or modules whenever one wants to present data other than HTML.

(Aside on handlers vs. modules: A handler is a special ASP.NET Web page; a module is a plug-in one can install in Internet Information Server. If you’ve got a lot of different, special-case Web processing, or one need that is near-constant — such as processing images stored in a database every time a specific page is called — then you’ll want to consider a module. For occasional or lightweight processing, such as serving up a low-use RSS stream, a handler will do fine. End of aside.)

So that’s what we’ll use here. Let’s begin by creating an ASP.NET HTTP handler, which is written in the same way one would write the code behind for an ASP.NET page, but uses the file extension .ashx.

Continue reading: Creating An ASP.NET RSS Feed, Using Data From SQL Server And HTTP WebHandler »

Scott Guthrie announced yesterday that the hotfix for the ASP.NET cryptographic padding oracle exploit is now available on Windows Update / Windows Server Update Services.

Points of note:

• Persistent authentication cookies will need to be reset after applying the patch. In other words, if your site uses Forms Authentication, all your users will need to log in again after you apply this patch.
• You will still be able to persist Forms Authentications sessions across versions of ASP.NET. In other words, if you have multiple applications, running multiple versions of ASP.NET, on a given domain, one Forms Authentication login will work for them all, provided they share the same data store for authentication.
• If you run a web farm, all versions of ASP.NET must be the same in that farm, and the patch needs to be applied to all machines.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-now-available-through-windows-update

Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.

Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.

Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28

In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability