CAT.NET and Xss

Monday, 15 December 2008

Microsoft Code Analysis Tool .NET is a new tool to detect certain vulnerabilities in your code – including Cross Site Scripting, SQL Injection, Process Command Injection, File Canonicalization, Exception Information, LDAP Injection, XPATH Injection and Redirection to User Controlled Site.

Also there’s a beta release of version 3 of the AntiXSS library which can help reduce the chance of cross-site scripting vulnerabilities in your ASP.NET application.

The 3 Ps of successful application deployment

Friday, 5 December 2008

  1. Planning
  2. Preparation
  3. Proximity to a bakery

Have I missed any others?

Google Transit for Adelaide

Tuesday, 2 December 2008

I saw this mentioned on Australian IT today – if you open up Adelaide in Google Maps, you now get the option of listing directions by “public transit”.

So for example, if I wanted to get from “Westbourne Park to Glenelg”, just enter exactly that phrase and search, then click on the ‘public transit’ link


View Larger Map

As you can see from the map, it indicates the bus route (216), then you change to a tram (), then finally you walk (). The directions panel contains bus stop details and the service times.

Ever since I owned an Apple Newton MessagePad and more recently a few Windows Mobile devices I’ve had an idea for an application that would allow you to interactively find out when the next bus was, and tell me what time I would arrive home – taking into account that I used to catch two buses and a train to get home. Well it looks like Google has pretty much implemented that idea for me!

Useful PowerShell snippets (part 1)

Monday, 1 December 2008

Some things I’m finding useful:

Processes running on a machine

Get-WmiObject Win32_Process -ComputerName mymachine | Select { $_.Name }

Currently logged in user on a machine

Get-WmiObject Win32_ComputerSystem -ComputerName MyMachine | Select { $_.UserName }

Does a machine have .NET 3.5 SP1 installed

function Get-Net35SP1([string] $machineName)
{
    $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $machineName)
    $regKey= $reg.OpenSubKey("SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5" )
    if ($regKey -ne $null) {
        Write-Output $regKey.GetValue("SP", 0)
        $regKey.Close()
    } else {
        Write-Output "Doesn't have .NET 3.5"
    }
    $reg.Close()
}

Log4net’s SmtpAppender with multiple email addresses

Monday, 24 November 2008

Log4net is a popular logging framework, and amongst the various logging “appenders” it includes one for sending emails – the SmtpAppender. The documentation for the SmtpAppender’s To property says it contains a semicolon-delimited list of email addresses.

However if you try to do that, you won’t see any emails being sent. Add the following to your app.config file to enable log4net’s debug logging:

  <appSettings>
    <add key="log4net.Internal.Debug" value="true" />
  </appSettings>
  
 <system.diagnostics>
  <trace autoflush="true">
   <listeners>
    <add name="textWriterTraceListener" 
     type="System.Diagnostics.TextWriterTraceListener"
     initializeData="C:\\tmp\\log4net.txt" />
    </listeners>
   </trace>
 </system.diagnostics>

You’ll then see this internal error message in the log4net.txt file:

System.FormatException: The specified string is not in the form required for an e-mail address.
   at System.Net.Mime.MailBnfHelper.ReadMailAddress(String data, Int32& offset, String& displayName)
   at System.Net.Mail.MailAddressCollection.ParseValue(String addresses)
   at log4net.Appender.SmtpAppender.SendEmail(String messageBody)
   at log4net.Appender.SmtpAppender.SendBuffer(LoggingEvent[] events)

This shows that the SmtpAppender is leveraging the .NET Framework’s System.Net.Mail.MailAddressCollection class. The ParseValue method is not public, but Add(string) is, and if you scroll down to the remarks, you’ll see the following text:

If multiple e-mail addresses separated with a semicolon character (";") are passed in the addresses parameter. a FormatException exception is raised.

So it turns out log4net’s documentation is misleading, or at least out of date. Change your email addresses to use the comma and everything comes good again.