I have used KCFinder (http://kcfinder.sunhater.com/download) with PHP in some projects and integrated with CKEditor (http://ckeditor.com/) and I would like to do the same thing with ASP.NET (ideally with MVC).
Has anyone been able to implement KCFinder for ASP.NET (even partially) ?
Or is there a similar File Manager for ASP.NET which can be integrated into CKEditor? I've been searching for one, but didn't find something similar to KCFinder.
Thanks.
Quoting the official page at http://kcfinder.sunhater.com/
Only PHP5 server-side scripting is supported. GD extension is required and safe mode should be off. To work with client-side HTTP cache, the PHP must be installed as Apache module.
So, no. If you want a .net version of it, you will need to either fork one yourself or convince the author to rewrite the backend system so that it supports multiple backend connectors.
Or if you are feeling hardcore, you could try using PHP within ASP.net pages - but I find that dirty, gross, icky, eww and wtf.
Related
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config.
Can someone please explain how they do this or even provide a link to a tool that I can use to test my site with. I find that the official explanation of this part of the attack is really lacking.
The attack that was shown in the
public relies on a feature in ASP.NET
that allows files (typically
javascript and css) to be downloaded,
and which is secured with a key that
is sent as part of the request.
Unfortunately if you are able to forge
a key you can use this feature to
download the web.config file of an
application (but not files outside of
the application).
Guys - the answer is that once they have obtained the machineKey, they can use that key to fetch the files using another feature in ASP.NET
"In ASP.NET 3.5 Service Pack 1 and ASP.NET 4.0 there is a feature that is used to serve files from the application. This feature is normally protected by the machine key. However, if the machine key is compromised then this feature is compromised. This goes directly to ASP.NET and not IIS so IIS's security settings do not apply. Once this feature is compromised then the attacker can download files from your application - including web.config file, which often contains passwords.
Versions of ASP.NET prior to ASP.NET 3.5 SP1 do not have this feature, but are still vulnerable to the main machine key attack."
(see the post at the bottom of here: http://forums.asp.net/t/1603799.aspx from the asp.net team)
Scott Guthrie has a post which explains it to some extent.
This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/
also read this:
How serious is this new ASP.NET security vulnerability and how can I workaround it?
afaik it goes like this:
these are hit: webresource.axd and scriptresource.axd, both use an encrypted/signed value that asp.net tries to check if its valid
because of differences in the response when the files are or not valid, they can make the padding attack.
once the attack is successful they can generate a request for a resources as if it were originally emitted from asp.net
Now, as far as I knew, both of those are supposed to serve embedded resources, but I guess that's not the case (Scott Gu did mention in his post's comments those are the ones being used in the attack showed).
The following post may be interesting for this thread:
http://blog.mindedsecurity.com/2010/10/breaking-net-encryption-with-or-without.html
FYI, a patch for this bug has been released on Windows Update.
http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx
We have a Drupal 6 application (PHP 5) using the Salesforce module for integration. Everything works great on our current server, but we are moving to a server which does not allow the PHP SOAP extension, which the Salesforce module relies upon. NuSOAP does work on the new server.
From our initial effort, it's a very difficult task to patch the Salesforce module to use NuSOAP. Does anyone know of alternatives we can pursue, or perhaps provide assistance with the move to NuSOAP?
Check out the Zend SOAP client, I think that can work without the PHP extension as well.
In any case, I wouldn't touch NuSOAP with a ten foot array, it's very outdated. Latest release was in 2005.
It seems eerie to read that, given the cost of going with Salesforce and integrating, you don't have enough control over your own server to enable the builtin SOAP extension.
As Mikl said, you can still use Zend SOAP in the Zend Framework, but being in PHP it cannot reach the performance of the builtin extension; and ZF still evolves rather fast, meaning a dependency which can be costly to maintain, unlike the default SOAP extension.
And I would not want to use NuSOAP, due to its unmaintained state.
I think you really should reconsider your PHP configuration before continuing as you plan.
I am making a making a new asp.net web forms site and would like to beautify my urls - I want to accept a url like this one "www.mysite.com/1-2,3" and turn it one like this "www.mysite.com/page.aspx?a=1&b=2&c=3". Which option is best for this task - IIS7 Url Rewriting or Routing in terms of performance and ease of maintenance. Btw I am planning to use medium trust shared hosting IIS7, maybe 6.
In the past I used PHP's mod_rewrite, which I was quite happy with, however now this whole site is being translated to ASP.NET, and I don't know which option to pick.
PS - I have already read this and this, however didn't find it clear enough for my problem.
I would make a strong argument for using routing. It keeps the request-resource resolution logic within your application, so it's very easy to add application-dependent logic when you need, and it eliminates the need to maintain synchronization between your application and a separate configuration resource.
Routing works great with traditional webforms.
URL rewriting is often (though not always) a compensation for a problem, rather than a solution - server software and frameworks still built around the older notion of web pages, which represent physical resources. However, web applications should react to requests as commands; but only relatively recent, modern web frameworks have begun to support that model natively. Routing is one of those developments.
I would strongly suggest to use routing,
it will in fact be more integrated with webforms in next version of the framework.
URL rewriting is more of a "hack" due to the lack of the routing in the first place. If you already have a project that you want to "shine up", then url rewriting will do just fine.
But when starting from scratch, I would definitely use routing.
Routing hides you application structure and makes you think more of your urls, as path to the content that you want to show, opposed to the path to some page with params.
And you don't have to keep track of 2 things when changing stuff, like you would with rewriting.
more in this article
IIS 5/6 used ISAPI filtering which was basically the equivalent of mod_rewrite for IIS. I hear that IIS7's url rewriting is a lot easier to manage and configure than ISAPI.
Well it depends on whether you're using classic ASP.Net or the new MVC framework. I don't have any experience with the MVC framework, but it sounds like it supports what you're looking for right out of the box.
On the classic ASP.Net side of things, we're currently using an IIS extension called ISAPI_Rewrite. It behaves similarly to Apache's mod_Rewrite and they have a free version you can use that has most of the power of the paid version ($100).
Do you guys know about an ajax toolkit (or something similar to the m$-ajaxtoolkit) for mono??
Microsoft's ASP.NET AJAX Control Toolkit works on Mono, and is open source (Ms-PL). That doesn't preclude the use of jQuery, though. There are actually several third party AJAX libraries and control toolkits that support Mono, and many are compatible or work in conjunction with ASP.NET AJAX.
I agree with Brian, but want to add that you should read Dave Ward's series on jQuery and ASP.net. He really distills the essence of what you can do with jQuery, PageMethods, and WebForms without MS Ajax. These ideas are directly applicable to the Mono / Linux environment.
Here's a list of essential posts:
Using jQuery to directly call ASP.Net Ajax PageMethods
Use FireBug To Learn jQuery
Simplify calling ASP.NET Services with jQuery
I'd recommend rolling your own using jQuery. That's what m$ is doing now anyway.
Debugging Mono website
Do you remember, that you have no development environment in this machine? You can install it, or download Mono liveCD with openSuse. But before doing it, please note, that GTK# (it’s devenv) is not very user friendly. It even worse, then Eclipse. So let’s try to understand first whether we can fix small compatibility problems without entering code.
The most convenient method to debug web site on Mono is by using XSP and XSP2 mini web servers. Just enter the directory of the site and run it. By default you’ll be able to access the site by using ... (it also be written for you). Enter and notice whether you have any errors in console. No? Keep doing
The most common problem is “error 500” with nonsense stack. If it contains ScriptManager error Type not found, the problem is in Web.config file. Try to regenerate it to be compatible to Mono (for example, Mono has different version of System.Web.Extensions assembly. In ASP.NET 3.5 it has version 3.5, Mono has only 1.0.61025.0 (the old AJAX.NET). To recreate your web.config all you have to do is to execute “mconfig af AJAX Web.config” It will create default web.config file, supports System.Web.Extensions (AJAX features).
Not helped? Keep doing. Let’s look another time into the stack – if it contains errors in “EnablePageMethods” or “ShouldGenerateScript” or “EncryptString” – the problem is serialization. Mono has very limited support for JSON, XML and SOAP serialization. Try to look into your code and notice if you have classes, marked with [Serializable] or you are transferring your own classes by using PageMethods. If so, replace it with regular strings (my grandma serialization).
What's the best way to implement friendly URL in ASP.net?
The ASP.NET Routing Framework provided in .NET 3.5 SP1 is a good one.
Although it is very new, it can handles many URL-related tasks and most frequently used URL-friendly schemes very well.
It can be used outside of MVC, too.
The best way to do this is to look into the new MVC toolkit from microsoft (http://www.asp.net/mvc/)
See http://weblogs.asp.net/scottgu/archive/2007/11/13/asp-net-mvc-framework-part-1.aspx for an example.
Sure, its only beta right now, but the core of it is the routing system that makes it possible to make intelligent urls based on actual content.
I.e. to edit product with id 5 you'd have an url that looked like
/Product/Edit/5
If I read the specifications correctly, you can use this routing system for anything (i.e. so you don't have to recode the entire site to use it), and it can default to allow direct references to an existing file to have precedence over its own rules (i.e. /myfile.aspx will still use the file, instead of a route). That way you can mix and match the technologies and urls while you make the trancendance to the new routing based system.
I have used UrlRewriter.Net library. It is small but powerful and easy to configure.
If you're looking to do this in earlier versions of the .Net Framework, you can use the RemapURL tool from the IIS 6.0 Resource Kit. We use it, and all it takes is installing the dll, creating a very simple ini file with your friendly urls and their associated endpoints, and enabling the dll in Web Service Extensions Very simple how-to here.