Sharovatov’s Weblog

critical IIS vulnerability

Posted in security, web-development by sharovatov on 29 December 2009

Just got a link from our system administratorhttp://securityvulns.ru/Wdocument993.html 

Go read the vulnerability description now!

Basically – if your users upload files to your site and THEY specify file names, you’re vulnerable:

#Vulnerability/Risk Description:
– IIS can execute any extension as an Active Server Page or any other executable extension.
For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file
uploaders protect the system by checking only the last section of the filename as its
extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.

There’s an unchecked patch for this vulnerability, but again this shows that you just can’t allow any user input saved to your system without filtering.

So, if you allow file uploads – your script have to specify filenames, not users.

Share :

Pomodoro Windows 7 gadget

Posted in widgets, windows 7 by sharovatov on 3 December 2009

I was really inspired by http://tomatoi.st/ web service which provides an easy to use web interface for Pomodoro time management technique.

But unfortunately, tomatoi.st is down due to overload too often, so I spent 20 minutes and prepared a simple Windows 7 pomodoro gadget. It does just what’s needed – showing timers:

image

Click on “Work” button to start 25 minutes work interval, “short br” – to get 5 minutes short break timeout, “long br” for a 15 minutes long break.

It’s dead easy to download and install – just click here. Or you can inspect the code if you want to – gadget is just a zip file with html, css and js inside.

Ah, and I have to warn you – when a period of time is over, it starts playing Alert.wav every second until you set a new period.

For more information about Windows 7 gadgets you read the following posts on my blog:

  1. introduction to the gadgets platform
  2. Exploring Windows Desktop Gadgets 
  3. Exploring Windows Desktop Gadgets #2 – security and limitations
  4. Exploring Windows Desktop Gadgets #3 – settings storage
  5. Exploring Windows Desktop Gadgets #4 – flyouts

Or read MSDN.

P.S. this gadget doesn’t have any settings or flyout or anything else – it’s very simple.

Share :

Tagged with: