Monthly Archives: September 2004

My previous post was based on an incomplete test scenario. what i can say by now is – i can reproduce the bug on Windows XP with 1.1 and even 1.1 SP1. i cannot reproduce the bug on Windows 2003 … Continue reading →

See this post for an update This seems to be fixed in .NET 1.1 SP1 i could reproduce the vulnerability on V1.1.4322573 (which is plain 1.1) – but i couldn’t reproduce it on V1.1.4322.2032 (which is 1.1 SP1) so – … Continue reading →

forwarded from OWASP-DOTNET read the whole story here for some examples of vulnerable and not vulnerable web.config settings. It seems from the original mail that microsoft wasn’t even contacted before disclosing this vulnerability which is extremely bad style. this is serious!   … Continue reading →

There is quite a lot of talk recently about the dangers of fully trusted code. i can only agree. Keith Brown gives some nice examples in his article “Beware of fully trusted code” what code can do if all CLR … Continue reading →

the must-read book for .net developers is finally shipping!  

saturday morning fun… using System;using System.Net.NetworkInformation;class WhidbeyPing{  static void Main(string[] args)  {    PingReply reply = new Ping().Send(args[0]);    Console.WriteLine(“Reply from {0} – Roundtrip Time {1} ms”, reply.Address,                                                                                       reply.RoundTripTime);  }}  

i currently have to convert code and some slide decks for a customer to this strange language that doesn’t accept semicolons at the end… most of the time this is a no-brainer – but a time consuming and annoying task. … Continue reading →

Foundstone has released a sample web application written in ASP.NET / C# that simulates the most common vulnerabilities in todays HTTP based applications (cross site scripting, sql injection…). You can instantly start hacking – or read the detailed how-to pdf … Continue reading →

Prior to Windows 2000 there was no built-in possibility to figure out which program on your system opened which port. You could use ‘netstat -an’ to list all open ports, but not which process or library has opened the ports. TcpView … Continue reading →

ERNW Security Advisory Cross-Site Scripting Vulnerability in Newtelligence DasBlog Author:Dominick Baier <dbaier@ernw.de> 1. Summary:A XSS (Cross-Site-Scripting) Vulnerability in DasBlog’s Event and Activity Viewer allows to inject and execute code on the client’s machine. This allows an attacker to transfer the … Continue reading →