Vulnerability in JForum

Today, I've found a potential vulnerability in JForum for satyam which is a Persistent XSS attack and here it goes the description,

I've created a new topic with Subject "@script@Alert('Testing')@/script@" and submitted the topic. Once it's submitted, it'll be listed in the forum topics.
Now I navigated to the forum's topic list and I clicked on the topic which has the subject"@script@Alert('Testing')@/script@", and it din't execute the script, why beacuse they have encoded this HTML, So I thought JForum for satyam is not vulnerable, but I just wanted to test it further and clicked on "post reply" for this topic, then the cript executed, I was kind of shocked how come JForum has not fixed this bug till I tested on their site(JForum site) and was not able to replicate it.Finally I thought it may just a patch with which satyam is not updated with to fix the potentially harmful bug which even may crash client's System...........!!!!!


Disclaimer: Content above is nothing to do any illegal or malicious activity but was just to test the security of the Apps and to share the knowledge with my blog viewers how serious a XSS attack can be.

How do I encrypt Web.Config file of .Net Web App??

Generally We do keep application level variables and connection strings in Web.Config files for updating values across the project at one go. Being a very important file, It's always needed to secure the information of the file by some means, exactly for this reason .Net provides an API to protect the data by means of few providers(Cryptographic methods), to cite DpapiProtectedConfigurationProvider and RSAProtectedConfigurationProvider. So in this Article we'll examine, how to encrypt a specific portion(connection strings in this case) of Web.config file using RSAProtectedConfigurationProvider.

So here it goes,

1)Create a new website/application
2)Run the website, system'll prompt for adding Web.Config File, Click Yes
3)Stop debugging the application.
4)Open Web.Config File and add below code in between @configuration> and ,@/configuration>

@connectionstrings@
@add name="myCon" connectionstring="data source=localhost; Initial Catalog = master; user id = Encrypt; password= Decrypt"@
@/add@@/connectionstrings@@/blockquote@

5)Open Default.aspx(assuming you've not changed the name of the default page appears once you create a new website) and add two buttons and name them as Encrypt and Decrypt respectively
6)Double click "Encrypt" button and paste the below code

Configuration WebConfigFile = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection SectionConnectionStrings = WebConfigFile.GetSection("connectionStrings");
SectionConnectionStrings.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
WebConfigFile.Save();
7)Double click "Encrypt" button and paste the below code

Configuration WebConfigFile = WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection SectionConnectionStrings = WebConfigFile.GetSection("connectionStrings");
SectionConnectionStrings.SectionInformation.UnprotectSection();
WebConfigFile.Save();

8) Run the application, Default.aspx pops-up with two buttons "Encrypt" and "Decrypt". Click on button "Encrypt", It'll encrypt the "connectionStrings" section in Web.config file, and asks for overriding the file ie Web.config, click Yes
9)Stop debugging and open Web.Config file and now you can notice below code instead of original text form "connectionStrings" section.

@connectionstrings configprotectionprovider="RsaProtectedConfigurationProvider"@
@encrypteddata type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
@encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc">
@keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
@encryptedkey xmlns="http://www.w3.org/2001/04/xmlenc#">
@encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5">
@keyinfo xmlns="http://www.w3.org/2000/09/xmldsig#">
@keyname>Rsa Key@/keyname>
@/keyinfo>
@cipherdata>
@ciphervalue>CGqBcokAoiZ+uB6Le7Aufbt8wQ018UrKWcfso73WtSSztJMj0O1BywJoE/3jdOREcojeHWiFY5+9GXX+7XBLxfFalOfrJgXQpXyBbwpQhvsgGbH+xiRMmVCPhpnwSYQK/3WjnulS8ywqQbGBNww86VohEjWm4bCXkmEDH0haoYI=@/ciphervalue>
@/cipherdata>
@/encryptionmethod>@/encryptedkey>
@/keyinfo>
@cipherdata>
@ciphervalue>IinIZskL3FGF8iDGAv+qEmkbGsGi4ByTohmEh7/wew86lvn2eqiOI9NVBm1usXzUz8QWFwHboSAam+TJmPvLe1LavrZ9ZHFmFs5exURegt4hxuZphAHFisWr7AB4HDrrrORsuD3IIMq4Fyq9EvsGpRRVcefl+gPejP04vv7bAc/qbFbJYtzH7OeglxI1Z0UBhvkYKGcFSGY+GgvyDsmo12+7KiVa7H7vAz6Se20BLAk=
@/cipherdata>
@/encryptionmethod>@/encrypteddata>
@/connectionstrings>

So normal text formed sextion has been changed to cypher text, and if you want to get back the "connectionStrings" original text data, just click on "Decrypt" button and notice the magic, that's it, it's pretty simple, we should not bother about which Algorithm have to use, where to store the key value and etc, everything would be taken care by .Net and our life is made easy.....:)

Hope it helps, Thank you and comments are most welcome.

Experience @ MS-Tech-Ed 2009, HITEX, Hyderabad

This is the very first technical summit I've ever attended. Indeed learnt a lot both technically and personally. It went for 3 days from 13th May to 15th May 2009. Highlight for the summit is none other than Mr.Steve Balmer, CEO, Microsoft. After his talk, he's Invited for few questions and many folks asked him beautiful questions and got awesome answers back. Steve's answer for a question, "lesson he learnt and impact on Microsoft from recession? " was really interesting, he answered as, Its very sad that it's happened and happy that it'nt happen again in my life time and he's given a justification, why it'nt happen again in his life time based up on the statistics of occurrences of previous recessions, which made clear that it'd happen only once in any one's life time.

I also thought of asking few questions which includes,As Microsoft goes on moulding it's products and technology in this fashion, Developers are becoming more like designers with few customizations, so how far it's interesting for the developers across the world to work on MS technologies as they do not have to use their brains while working, which in my opinion being a developer is not at all happy really.

These days Microsoft is releasing it's products like any thing with in no time. Before setting up to learn new technology or version another technology or version is coming up, just to compete with the rest of the world and nothing else.

When I started my IT career in 2006, I started up with Microsoft .Net technology with Framework 2.0,language C# 2.0 and MS Visual Studio 2005 and now with in the 3 years of time span another two version have been released(though VS2010 and c# 4.0 are in their beta versions), where technology is changed drastically,If not hype, I can say there is no comparison b/w 3.0(,later versions) and earlier versions of .Net.


One of friend Sultan, also raised a really very interesting question, how about making Microsoft product and technologies open source?, Of course due to some reason or other we've not shoot these questions at Mr.Steve(May be scared...;)).


And one more interesting thing is, Microsoft also entered into Cloud computing with Windows azure services to compete the big giant like Amazon, Google and Yahoo(is also coming up with cloud computing, which is collaborated with IIIT, Hyderabad, for research operations). At Tech-Ed, Venkat, Jani and Saran's sessions on cloud computing and azure services were really fruitful for me, atleast I came to know what cloud computing is though I firstly familiarized with Cloud Computing by Jani's presentation, exclusively for Satyamites.

One more highlight at Tech-Ed was, "free certifications", though I dint utilize them properly having failed in 2 exams which I had taken, after all I was not prepared and also not taken the advantage of dumps(by virtue I am kinda against at).But I am still happy, because at least I made an attempt and scored 550 and 578 and made my mind working at least for 3 hours.

Finally, Tech-Ed is not tech savy, :), It has got fun in the form of AGNEE, the rock brand with superb composition of "zeeley baby...shift-delete kardey"(forgive me for the bad lyrics , but this is what I remember) and a rocking concert on the last day to farewell the Tech-Ed.

Tech-Ed has really taught me lot of lessons, at times I felt regretted, nervous for not being either among Speakers, Microsoft family or MVP community and other times I was really happy, at least it happened to meet few great personalities and I developed a burning desire to become an MVP at least down the line 1 year, to become the good speaker and to join either Microsoft or Google or Amazon or Yahoo subsequently and I wish I could join in the very near future. Once again thanks to Microsoft and Tech-Ed team.


Disclaimer: If something looks as criticizing Microsoft or Some one else, then its purely incidental and nothing intentional.

SELF JOIN in SQL Server

Self join means a tables joins itself to produce the result set.

Let me explain you with an example.

create a table as follow:

Employee_ID	Employee_LNAME	Employee_FName	MANAGER_ID
1	Praneeth	Chandra	NULL
2	Ajelina	Jolie	1
3	Kate	Winslet	2
4	Maria	Sharapova	1

In the above table Praneeth Chandra is the Supreme and so he doesn't report to any one, so Manager_id for first row is null.

Now I want to fetch the details of the employee's FirstName and Last Name and their respective managers First name and last name, it does mean that we've the details of the employees and the managers in the same table but we dont have the corresponding columns(ie EMPLOYEE_FN,EMPLOYEE_LN,MANAGER_FN,MANAGER_LN),
so normal select query does not work here, but we can fetch the desired result if we can create a self join on employee table with it self.

Query for SELF JOIN:
select e.first_name as Employee_FName, e.last_name as Employee_LName, m.first_name as Manager_Fname,m.last_name as Manager_Lname
from [schema1].employee AS e left outer join [schema1].employee as m
ON e.manager_id=m.id.

It goes as follow,

Employee_FName	Employee_LNAME	MANAGER_FName	MANAGER_LName
Praneeth	Chandra	NULL	NULL
Ajelina	Jolie	Praneeth	Chandra
Kate	Winslet	Ajelina	Jolie
Maria	Sharapova	Praneeth	Chandra

Explaination:

Note:As we've employeed left outer join' we should traverse through all the record in left table ie. table 'e'
1)As we have employeed left outer join it does mean that, all the records of right table ie. table 'm' should appear in the result set irrespective of the condtion success status.

so first record in the table is 1 Praneeth Chandra NULL
so now check the condition ie manager_id=employee_id
here 'NULL' Manager Id does not match with any employee id, so if we employee an 'inner join' instead of 'left outer join', this record would haven't been the part of result set.(as Inner join picks the records only the condition satifies), so we wont get the details of all employees and their corresponding managers details if we dont apply a 'LEFT OUTER JOIN'.

and the first record goes in the result as

Praneeth

Chandra

NULL

NULL

2) Now move onto second record in table 'e'
here e.Manager ID=1 matches with one m.employee id=1
so the next record in the result goes as,

Anjelina

Joolie

Praneeth

Chandra

3) and Now move on to 3rd record in table 'e' ie left table

here also e.Manager ID=2 matches with one m.employee id=2

so the next record in the result set goes as,

Kate

Winslet

Anjelina

Joolie

4) now we've moved onto last record in the left table ie table 'e'

here also e.Manager ID=1 matches with one m.employee id=1
and here it goes the last record,

Maria

Sharapova

Praneeth

Chandra

Disclaimer: Names used as part of the records in the employee table are just for the concept illustration purpose and nothing to do with the real word,I've used their names for none of the reasons but, I personally admire them for their supremacy in their respective fields.