There are a couple of ways to create an RSS feed from a SQL database store. Over at 4GuysFromRolla.com, there’s a post explaining how to create an RSS feed using a regular old ASP.NET Web Form.
Another option would be to write a script that creates an actual XML file on some periodic basis (probably just before the recommended “time to live” setting of the feed). The benefit of that is, one taxes the database server a little every now and then, and a “real” XML file does the work.
A handler is a special ASP.NET Web page; a module is a plug-in one can install in Internet Information Server. If you’ve got a lot of different, special-case Web processing, or one need that is near-constant — such as processing images stored in a database every time a specific page is called — then you’ll want to consider a module. For occasional or lightweight processing, such as serving up a low-use RSS stream, a handler will do fine.
So that’s what we’ll use here. Let’s begin by creating an ASP.NET HTTP handler, which is written in the same way one would write the code behind for an ASP.NET page, but uses the file extension .ashx. Continue reading →
I’ve created pages for 401 (unauthorized), 403 (forbidden), 404 (not found) and 500 (internal server) HTTP errors.
I designed these to be valid XHTML 1.0; to appear well in all screen resolutions from 1024 x 768 and greater; and to appear the same on most Web browsers. (Of course, I exclude Internet Explorer prior to version 7 from that list.)
This little exercise also gave me a chance to play with the Google Font API. There aren’t a lot of fonts available yet, but using the API couldn’t be simpler.
Instructions on implementing custom error document on Apache can be found here. Microsoft documents how to add customError files to your ASP.NET web.config file here.
Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.
Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.
In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”
URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.
If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.
Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.