Petes random thoughts and jottings

Chrome 19: xmlhttprequest open() with authentication is broken

Mon, 21 May 2012 08:31:19 -0400

Good old Chrome autoupdated itself last week. All was fine except now I can’t seemlessly log into my web applications.

Turns out it has stopped supporting embedded identities eg: http://username:password@google.com
(note: that is not my real username and password!) That is fine but it looks like when you use the following code:

var xhr = new XMLHttpRequest();
xhr.open(“GET”, “/data”, false, “pete”, “test1”);

It doesn’t use the username and password anymore and instead the user gets the authentication dialog box.

Surely this is a bug?!

I thought I had got a workaround by adding the following code:
xhr.setRequestHeader(“Authorization”,”Basic cGV0ZTp0ZXN0Mg==”);
This does work but the browser doesn’t save the credentials, so if the browser gets sent to a secure page, you still get the popup authorisation dialog.

My choices are:
1. Wait to see if they fix this problem
2. Don’t support Chrome anymore
3. Rewrite the authentication system

It looks like point 3 is the way to go. I might have to start using cookies within the authentication process, I really liked using the Basic HTTP authentication because it can be used by the browser and programmatically very easily. If I introduce cookies, then programmatically retrieving data gets harder and a lot messier.

Have we been Hacked?: An investigation

Wed, 09 Nov 2011 12:33:28 -0500

I started to get a lot of spam email from one email address, about 10 every minute: they were all going into my junk mail folder but after a few hours I was curious as to why this was happening.

In outlook, I opened the email and then selected ‘Properties’ (in outlook 2010, click on File menu then click properties button). You get to see the headers for the email, of interest was the Received: header which identifies the source.

Unfortunately the IP address it was coming from was one of our servers… uh oh…..

Perhaps we had an smtp server sitting on there being used as our secondary mail server (in case our primary mail server went down) but no, the smtp server option hadn’t been installed. I tried telnetting to port 25 on the box but no response so it didn’t seem to be a piece of software (rogue or otherwise~) acting as an smtp server.)

Next brainwave: I used netstat on the commandline to see if port 25 was currently in use. The command is:
netstat -ano formats the data quite nicely and if you do the following:
netstat -ano |findstr :25 you can find only entries that are communicating to/from port 25.

Success, netstat told me which process was being used by giving me the pid (process id). If you then go into resource monitor or task manager you can relate pid to a process (you might have to add pid as a column for task manager).
It was a w3wp.exe - one of the application pools on IIS. Luckily we have started to use application pool identities on IIS so I knew which application pool was the culprit (On resource manager, add column ‘username’ to see the application pool name, in task manager, it shows it there by default)

Ok, it happens to be one of our old websites but how is it occurring? For that particular website (we have 1 application pool per website which makes things a lot easier) I then looked into its log files stored here: %SystemDrive%\inetpub\logs\LogFiles\{id} (Find the ID from IIS manager by clicking on the sites folder in the left hand side and you will see all the sites with their ids)

Most log files were 1Mb each, except for today which so far is 24Mb! Ahah! Success. Looking into the log file told us which page was being ‘hacked’. It was a tell a friend page where you could enter yours and a friends email address along with a message and the server would send the friend an email looking like it came from your email. A classic case of forgetting to put a captcha on the page. The page has been around for 4 years and only today someone discovered its vulnerabilities. Luckily I am BCCd on all emails sent which is why I got a lot of emails sent to me. If I hadn’t been copied in, we wouldn’t have found out until our email server had been blacklisted.

I blacklisted the IP address which put an immediate stop to the problem but have deleted the page aswell. It was very rarely used (not for months) and so wont be missed. But a good learning experience all round.

By amazing coincidence my second in command is on holiday this week. He says he is at Centre Parcs but if I found out he has gone to the Philippines (which is where the IP address of the hacker comes from), well, I hope for his sake, he brings me back a nice present.

Adding associations in a dbml: LinqtoSQL

Mon, 31 Oct 2011 08:43:26 -0400

Adding association to a dbml; if they aren’t working making sure both tables have a primary key!

You know you're old when...

Wed, 05 Oct 2011 08:02:32 -0400

After helping my daughter (age 6) with singing Its a long way to Tipperary, she asked me:

“Were you in the war Daddy?”

Fix: IIS 7 SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission failed

Fri, 12 Aug 2011 11:03:36 -0400

IIS 7 recommends using ApplicationPoolIdentities for its application pools. This is instead of using NetworkService. One advantage of this is looking at Processes in Task Manger, the IIS Worker process has the username matching the application pool name and thus it is easier to see which is consuming more resources etc.

BUT, if you switch to ApplicationPoolIdentity as the Identity you might come across the following error:

[SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.]

To fix this, in advance settings for the application pool change load user profile to true.

For more information on ApplicationPoolIdentity see http://learn.iis.net/page.aspx/624/application-pool-identities/

Accessing Reporting Services API locally: User Denied problem

Tue, 09 Aug 2011 07:50:36 -0400

We deployed to a new server this morning with SQL Server 2008 running on it. Our software was trying to programmatically access the Reporting services api (found at: http://localhost/ReportServer/ReportExecution2005.asmx) This would work but if we used http://publicurl.com/ReportServer/ReportExecution2005.asmx then this would fail. This is because IIS doesnt allow you to access a domain if it is pointing back at the box you are on and if you wanted to use integrated authentication. This stuff is called loopback checking

To resolve this you need to make some changes to regedit: Follow the instructions found here: kb896861

This will enable you to set up hostnames that loop back to the local machine and will be allowed by IIS.

Identifying Reporting Services subscriptions in SQL Server Agent

Tue, 09 Aug 2011 07:24:20 -0400

The jobs created by reporting services subscriptions have ‘random’ names. Here is some sql that helps you identlfy the subscription and the report.

SELECT Schedule.ScheduleID AS SQLAgent_Job_Name, Subscriptions.Description AS sub_desc, Subscriptions.DeliveryExtension AS sub_delExt,
[Catalog].Name AS ReportName, [Catalog].Path AS ReportPath
FROM ReportSchedule INNER JOIN
Schedule ON ReportSchedule.ScheduleID = Schedule.ScheduleID INNER JOIN
Subscriptions ON ReportSchedule.SubscriptionID = Subscriptions.SubscriptionID INNER JOIN
[Catalog] ON ReportSchedule.ReportID = [Catalog].ItemID AND Subscriptions.Report_OID = [Catalog].ItemID

Thansks to SteveFromOz at Sqlservercentral forums

HTML5 video tag gotcha - IE9

Tue, 28 Jun 2011 11:06:00 -0400

If the tag doesn’t work in IE9, but the video if you access it directly (it should play in Windows Media Player) - make sure the mime-type is set correctly.

The mime type for .mp4 is video/mp4 Other browsers seem to cope with the bad mime type but IE9 refused to play the video. Its nice to see IE9 being a stickler for standards for a change!

HTML5 Video Tag - New Learnings

Tue, 28 Jun 2011 10:58:00 -0400

We host quite a few videos on our website, currently they are stored as flv files and played through a flash player (We user JW Player), but we get quite a few requests of people using non-flash devices (ipad, iphone etc) who want to watch the video and so I am quite keen to use the new HTML5 <video> tag.

There are 3 main formats to consider: WebM, Mpeg4 and OGG. I used ffmpeg to convert the flv file to .mp4(codec h264) and .ogv (codec: ogg theora) files but found the quality better on mp4 and the file size smaller. I havent tried WebM so will leave that for a later experiment.

Best practice recommends that you should have available all 3 formats for each video with Flash player to fall back on (using the H264 video as Flash supports it). We have too many videos to have lots of formats supported, I wanted to keep it as simple as possible ie only have 1 format so I went with H264 mp4. The reason is: Flash supports H264 but doesn’t currently support Ogg files or VP8 codec. All the devices that cant play flash support H264.

Until I develop an automated system that allows me to upload a video and get it automatically exported into the different formats I will stick with mpeg4.

protocol relative urls

Wed, 11 May 2011 05:27:00 -0400

We do development on our test boxes using http (on our intranet) but use https on our production servers. I also use googles cdn to host the jquery files I use. The question is do I use http or https to link to them, or use javascript to change the link or perhaps get the server to create the src link. The best solution is to use protocol relative urls! Heres an example:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.4.3/jquery.js"></script>

Drop the protocol and just start with double slash. The browser will then use the same protocol as the current page. NOTE: if you do this with stylesheets (css files) then IE7 & IE8 will download these files twice, I’ll need to check whether IE9 has this problem. I only really link to javascript (and media) files externally so protocol relative files work for me.

Special offer pricing FAIL

Sat, 26 Feb 2011 14:19:55 -0500

Special offer pricing FAIL

Mime types on IIS7

Fri, 18 Feb 2011 04:32:00 -0500

I host quite a few mp4 videos on our webserver which runs IIS7. By default, IIS7 doesnt have the mime type set for mp4 and thus returns an error of 404 if you try to access the file. This is done for security reasons (so people cant access secure files by default eg .inc, .cs etc). Thats a valid point but mp4 is quite common as a format especially these days so why isnt that one made available?! Anyway, in IIS7 I came across quite a nice solution, you can additional mime types to the web.config. Here is a sample:

<system.webServer>
<staticContent>
<mimeMap fileExtension=”.mp4” mimeType=”video/mp4” />
<mimeMap fileExtension=”.m4v” mimeType=”video/m4v” />
</staticContent>
</system.webServer>

I like that, if we ever move to another server thats one less thing to have to remember to set up.

CSRF and REST: A simple way of stopping CSRF?!

Fri, 28 Jan 2011 08:31:05 -0500

CSRF and REST: A simple way of stopping CSRF?!

IIS 7 Enabling PUT request

Wed, 22 Dec 2010 11:01:50 -0500

Im doing some funky restful services and was setting it up on a laptop. BUT PUT requests werent working (always returning a 405 error - Method not allowed). The fix was to uninstall WebDav publishing as a feature of IIS. And then it worked straight away.

Some people were talking about Webdav is forcing you to make authorised requests for PUT but I was and it wasnt working. Simplest solution was to remove it as I didnt need it.

Moving css styles inline for better compatibility in email

Fri, 17 Dec 2010 07:00:03 -0500

Moving css styles inline for better compatibility in email

IIS 7 and Custom Errors

Tue, 14 Dec 2010 12:38:40 -0500

Ive got a nice restful service going on (yay openrasta), works well in IIS6 but is giving me default error messages in IIS 7. To turn it off add the following to web.config:

   <system.webServer>
        <httpErrors existingResponse="PassThrough" />
    </system.webServer>

All happy again! I need to look into what other options there are for this setting but it gets me out of a fix for the time being

HttpContext.Current.Profile is null in iis7

Thu, 25 Nov 2010 08:40:00 -0500

HttpContext.Current.Profile is null in iis7:

Fixed by adding an additional attribute to the modules section in system.webserver

Getting web config settings when in design mode in Visual Studio

Wed, 03 Nov 2010 07:37:26 -0400

Getting web config settings when in design mode in Visual Studio

Converting a data column into comma separated string

Tue, 26 Oct 2010 09:04:23 -0400

Converting a data column into comma separated string:

The for xml auto works very nicely

Safari bug with XmlHTTPRequest authentication: @ symbol

Wed, 20 Oct 2010 05:25:05 -0400

I was testing with safari 5 on Windows and came across the following bug. If the username or password contains an @ symbol, then the xmlHTTPrequest will fail. It wont make a request, instead will generate a blank error. The solution is to replace @ with %40 (eg. username.replace(“@”,”%40”)) for username and password. This works and the server automatically decodes the username /password back to the original.

Sweet!