Sysadmins of the North
Don't forget to share this post!

Asp.Net Application Security

Finbar Ryan writes in his blog post Asp.Net Application Security: “I was recently helping a colleague with a customer who was running a security check against their IIS Server on Windows Server 2008. The security tool they used highlighted that the server was running Asp.Net and might be vulnerable to cross-site scripting attacks. The Asp.Net engine does validate every request that comes in. We do however recommend that you still ensure your application is not susceptible to the scripting attacks that are out there…

the Hacker News

Cracking 16 character strong passwords in less than an hour

What if hackers also managed to crack any 16 character password? A password serves to protect your financial transactions, your social networking sites, and a host of other nominally secure websites online. People often say, don’t use dictionary words as passwords. They are horribly insecure, but what if hackers also managed to crack any 16 character password?

Continue reading

WhatWorks in AppSec: ASP.NET Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts. The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic content being rendered to the browser. These shortcuts provide an easy way to protect against Cross-Site Scripting (XSS) attacks in the newer versions of the .NET framework.

Continue reading

How to send authenticated SMTP over a TLS encrypted connection, in PHP, ASP and ASP.NET?

Send authenticated SMTP (auth-SMTP) over a TLS encrypted connection. If you want to send email securely from your website, this post is for you! In this post I’ll provide some script examples for ASP, PHP, and ASP.NET (C# / VB.Net) that you can easily integrate in your website.

Continue reading

Umbraco security vulnerability found – immediate action recommended

All Umbraco versions affected. Remove /bin/umbraco.webservices.dll! A quick and short message to all Umbraco users, which just dropped in my Inbox:

Continue reading

Secure WordPress with a Captcha

update 2017-12-20: watch out for a Captcha version with a backdoor! WordPress security can be improved with plugins. Also from brute-force login attempts. Lately, a lot of brute force attacks are targeted against WordPress websites.

Continue reading

Grep for forensic log parsing and analysis on Windows Server IIS

How to use GnuWin32 ported tools like grep.exe and find.exe for forensic log file analysis in Windows Server. In this article I’ll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three example, as an alternative to LogParser, because finding spam scripts fast is often very important.

Continue reading

“WordPress Plugin Social Media Widget Hiding Spam – Remove it now”

Remove WordPress Social Media Widget Plugin; the plugin injects spam into your website

Continue reading

Open DNS Resolver Project

Close your open resolvers now! Open Recursive Resolvers pose a significant threat to the global network infrastructure. They are utilized in DNS Amplification attacks and pose a similar threat as those from Smurf attacks commonly seen in the late 1990’s. What can I do?

Continue reading

PHP logo

Connect to MS SQL Server with PHP 5.3+

Connect to an SQL Server database with PHP 5.3+ using the SQLSRV API and sqlsrv_connect. As of PHP 5.3.2 you have to use the SQLSRV API functions to connect to an MS SQL Server database from PHP. For example, use sqlsrv_connect() to create a connection resource and open a connection. The main difference with the older mssql functions of PHP is that SQLSRV requires an Array() with connection information, instead of strings.

Continue reading

Boost Drupal performance with Boost

Boost Drupal performance on Windows Server IIS. Besides WinCache on IIS, you can improve Drupal’s performance by installing the Drupal BOOST module. For this module to work you need to disable Drupal’s own caching mechanism, and you need access to the server variable CONTENT_TYPE in URL Rewrite. Here is how…

Continue reading

Unauthorized Access: Bypassing PHP strcmp()

The following was posted to the Web Security Mailinglist: Unauthorized Access: Bypassing PHP strcmp(). A way to bypass PHP’s strcmp() binary safe string comparison function.

Umbraco doesn’t like users with MySQL databases

Umbraco 6.0.2 fails when using MySQL, because Umbraco has changed their database layer/logic, breaking MySQL support. Because SqlCe is deprecated by Microsoft it is best to use SQL Server instead as your Umbraco database back-end.

Continue reading

Good Web Security News: Open DNS Resolvers Are Getting Closed

CloudFlare writes about closing open DNS resolvers. Open DNS resolvers are one of the sources of the biggest DDoS attacks.

Continue reading

WordPress 3.5 on IIS 8.0 is unable to save a web.config file

This website Saotn.org is hosted on Windows Server 2012 with IIS 8.0 with WordPress for a few months now, and everything is running very smooth. And I would never hit this bug because I don’t need to change my permalinks structure, or save any other plugin setting which would want write to a web.config file. One of my colleagues on the other hand, just moved his website to one of our IIS 8.0 web servers and he noticed he couldn’t save his Permalinks structure in the IIS web.config file. This can be pretty annoying 😉 Quick fix attached…

Continue reading

Skip to content