iFinity

Scott Guthrie posted about an important ASP.NET security vulnerability over the weekend.  If you have a DotNetNuke website, this vulnerability affects you, so take the time to read this and check if your site might be affected.

So far there has been no patch for the operating system, but there is a workaround which is very simple.

Basically, the vulnerability is that malicious users can probe your site and, from certain error codes, can break the cryptography securing important files like your web.config file.

The fix involves updating your website to provide a generic error page for all server errors.  Many people will already have such a setup in place, although others (like me) might have left more descriptive error messages switched on for working out what has gone wrong.

Update [21st September] : DotNetNuke has an official post out on this one, so I think take...

Every now and again I get a failed DNN installation with a half-created database.  When that happens, the best course of action is to clean out the database and start again with the install, making sure the problem is fixed.  But how do you clean out the database?

Here’s a quick script I wrote to do this – to be run through a Sql query tool.

Note : don’t ever run this unless you want to actually destroy your DotNetNuke database.  It’s a scorched earth deletion. It’s the Sql equivalent of delete *.* in old DOS days – except Sql Server won’t give you an ‘Are you sure?’ prompt.

Here’s the script:

declare @tableName nvarchar(100), @sql nvarchar(255) declare drop_curs cursor for select Name from sysobjects where type = 'u' and (name like 'dnn_%' or name like ‘aspnet_%’) open drop_curs fetch from drop_curs into @tablename while @@fetch_status = 0 begin     select @sql = 'drop table ' + @tablename     execute (@sql)...