ColdFusion Captcha Handler Mapping in IIS7 - iis

What is the handler mapping needed in IIS 7.x to produce CAPTCHA images? The only one that works seems to be the wildcard, which is ridiculous from a security point of view. In tightening the security of ColdFusion according to the lock-down guide at http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_ lockdownguide_wp_ue.pdf, they recommend to remove this wildcard mapping, but that seems to break captcha.

Not sure what the setting is but you could try: Save the image to a web-accessible folder using the destination attribute. Use img src to display it. Add a scheduled task that every hour/day would delete images older than that time period.

Related

Cache issue in Sitefinity/IIS, what can i do?

I have a problem which I am struggling to identify. It may be a Sitefinity(CMS)-problem or it may be a IIS-problem.
Explanation:
I have a external database, where the user login-information is stored. When I change my information in the external database the changes does not affect the Sitefinity-page. But if I wait for many hours OR restart the website in IIS, the changes are made and affect the sitefinitypage.
So, as far as I can see this could be either Sitefinity or IIS.
I tried to disable the Sitefinity OutPut Cache, but it did not help.
Now I want to try to do something in IIS, but I am not very familiar with IIS. Do you hae any idea of what should I do/try?
Sitefinit has caching profiles. The standard (default) one should be 20 minutes, sliding expiration if I remember correctly. Go to the page, click Title & Properties. In the dialog scroll down until you see "Advanced" seection. It's probably collapsed by default.
Expand it and see if Caching profile is anything different than "No caching". If so - make it "No caching" and save. Re-test.
This is output cache. You can think of it as saving the html page on the first request and then serving this saved copy. The cache invalidates on multiple events. For example if you publish the page - it will invalidate the cache.

Protect static files in Classic ASP website

I want to secure static files (images, .txt files) from unauthenticated users. How can I implement the user authentication to the website so that the static files in specific folder also get secured? I have used simple authentication in a login.asp file and started a session for authenticated user and I check the session value for protected .asp files. But I have no idea how to secure static content on Classic ASP website.
The website is hosted on IIS 7 with Integrated pipeline mode.
You already asked this, and I answered it, and I will give you the same answer.
You will need to use BASIC AUTHENTICATION to restrict access on static files in IIS (Classic ASP). Otherwise, you need to save the static content in another format and encrypt it and only make it viewable by people authenticated by your program.
Please don't ask this again, the answers will not be different.
If using Basic Authentification is not your cup of tea, one possibility would be to replace your static files with an ASP file that upon authorization, will output the correct file. If necessary, you can set the ContentType of the Response to the appropriate type. The link http://support2.microsoft.com/kb/173308 show you how to do that with an image stored inside a database but of course, you can take whatever you want as the source of the file. In the case of .TXT files, you can even directly take the file and simply add a small section of ASP code at the beginning for doing the check.
All of this required extra work. There is no way to simply activate some sort of protection with the session state for static files without extra work.
Old question but -- Most MS servers with Classic Asp installed have several default folders which cannot be accessed except via ASP. they are /bin /app_code /app_data and there may be others. It depends on your hosting company. Windows 10 IIS (their cut down dev & test suite) locks these by default. Using ASP code to retrieve and display text and html is very easy but I'm not sure how to do images. If you have very low traffic, one way would be to copy the image file to an unlocked folder and give it a random name, then access it normally in an IMG tag, then delete it after use. (I came here looking for a better method).
Update: The answer to loading images via ASP is here -- displaying images from sql database with classic asp ... see bottom answer by "HeavenCore" and, instead of Response.BinaryWrite rs("ImageBlob"), get the binary of the image into Your variable, eg: BinaryImageData and do Response.BinaryWrite BinaryImageData

In Plone is it possible to remove certain stripped and nasty tags for manager role only?

I'd like to side-step some of the security filtering done by Plone but only for people with manager or site admin roles. I want regular members to be able to add content but that content should still be filtered. Specifically at this moment I'm looking at allowing iFrames for manager role but this question is also more generic. The access to Plone that I'm referring to is a person editing a site page through Plone's standard editing system, TinyMCE.
If you look at the TinyMCE code you'll see that it load some configuration from the server. through the safe_html tranform inside the portal_transforms tool (
see https://github.com/plone/Products.TinyMCE/blob/11b957652846679cf7f441cc956730bd6fc92f87/Products/TinyMCE/utility.py#L499).
You can simply patch the getValidElements method above (adding here some user permission checking before removing/adding stripped tags) but it's not enough: this will simply change TinyMCE behavior (client side) but an evil user can access your site with TinyMCE disabled (really simple to do, just disable JavaScript in the browser), then upload a custom HTML without those filters.
So: the best thing to do is to customize the safe_html transform with the same permission checking. The simple way to add new stuff here withouy monkey-patching is to register a new plone.outputfilters adapter as described here: https://pypi.python.org/pypi/plone.outputfilters#adding-a-custom-filter
Simply patching safe_html will not work for several reasons:
html is not only filtered on save but also on display. That means that admins would see your iframe but normal users would not.
The filter is only executed once at the first display and then cached for one hour. Adding code that distinguishes between roles would have no effect on the second visitor.

SharePoint HTML Editor Field Control Converts Relative URL to Absolute URL

Put a relative URL (no server name) into the HTML Editor and save the page. The URL is converted to an absolute URL (http://server_name is added to the beginning).
This is posing a problem for moving content from our staging to production environment, as the server names are different.
The exact same scenario is common when using the Content Editor Web Part, and Microsoft has published a fix here:
http://code.msdn.microsoft.com/WssCewpLinkFixup/Release/ProjectReleases.aspx?ReleaseId=2210
The solution creates a custom ASP.NET 2.0 control adapter to change the rendering process of all Content Editor Web Parts in the application.
But we are using the HTML Editor Field Control, not the Content Editor Web Part.
Can the same approach be used to change the behavior of a web part?
Has anyone else encountered this problem and solved it? A Google search has come up with no answers, only many frustrated users and abandoned forum threads, including this one on StackOverflow from a year ago:
Publishing HTML Field Control Converts Relative URL to Absolute URL
Many thanks in advance.
You may be able to put a little bit of JavaScript in the link, either
Link
or
Link
Haven't tried it, but it may work.

Classic ASP "Down for Maintenance" page

I'm making some changes to a legacy classic ASP application. I've made the changes locally, and now I want to copy the changed files to the server. At the same time, I need to download the Access database, add some fields to some tables, and upload it again. For this reason, I need to be able to stop visitors from modifying the database while this is happening.
My main question is, what is the best way to setup a quick "Down for Maintenance" page that will be shown immediately and no matter which page the visitor requests. The application is already established, so I'd rather an answer that didn't require me to rework the application's architecture.
My second question (maybe this should be a separate question):
Is there a better way to add fields to a db table than to copy it down, modify, and stick it up again? Please forgive if that's a dumb question - I'm new to ASP - new to Windows too.
I only have FTP access to the remote server.
Thanks.
two ways:
1
if you do a server-side include in every asp page you can do a response.redirect in that include to /upgrading.html
2
in global.asa you can do a response.redirect in the session on start event. THis is probably the best way. Will only work for .asp pages, not if the client comes to a .html page.
Do you have any control panel access to the site at all?
When I used to run a number of ASP Classic sites I often turned them off for the five minutes required to do what I needed.
Rude to do to your visitors I know.
As others have said you could redirect to a page, but that won't stop people visiting static content in html pages, but then that probably won't matter, at least it stops them making changes to the mdb whilst you download it.
It's a pity that ASP.net's app_offline.htm doesn't work for ASP classic.
Another option I used to use was to create a default.htm file that had the offline message, and the way IIS was setup default.htm overrode default.asp, so simply uploading default.htm changed the homepage. This of course doesn't stop anyone using any of the other .asp pages.
So no real answer! Sorry.
If you have just FTP access to the server (and no control over the IIS) just insert a response.redirect to the "down for maintenace" page in top of all the asp pages, and remove it when the update is completed.
The changes to the database can be performed with the ALTER TABLE statement.
With regards to the "Down Maintanance" page issue you can and taking mapache's idea a step further if there is an included file (for a header) in each of the pages you can put the Response.Redirect in that one file and upload that in place. This will avoid making changes to all pages.
Another option is to upload a temp html file which will be found first by IIS. In IIS you can set which page name.ext are looked for in a domain/folder. For example when you browse to www.example.com you don't specify the page you are looking for so it could load index.html or index.htm for example depending on setup. It will depend on your hosts configuration setup, but a bit of trial and error I'm sure you can find out which one they use. Common ones for IIS are default.htm, default.html, index.html and index.htm. You can then put it in each of the folders in the website (not ideal I know) and then carry out your maintenance.
When updating databases you can run a migration script, written in sql, to update the schema and data of the db. As you only have FTP access this will require some sort of page you can paste the sql into and run. This however opens security issues so downloading the db, making the changes and then uploading again is probably easier. In addition to doing it this way you can also save the file and you'll have a backup :-)
Hope this helps.
Better than an include file, just use the Global.asa.
In the Global.asa's Application_onStart, add
Application("Offline")= True
at the top of all of your ASP files, add
If VarType(Application("Offline")) = vbBoolean Then If Application("Offline") Then Response.Redirect "App_Offline.htm"
(The double-if gets around the lack of VBScript's short-circuit operators, and therefore any data type errors.)
You could even set the Global.asa code to
Set fso= Server.CreateObject("Scripting.FileSystemObject")
Application("Offline")= fso.FileExists(Server.MapPath("App_Offline.htm"))
Set fso= Nothing
Which would enable the offline page if it exists, like ASP.NET. However, the application start code is only reparsed when the server is reset (using iisreset), or when the Global.asa file is modified, merely adding the App_Offline.htm will not be enough.
Add below code in web.config
<?xml version="1.0"?>
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
And place app_offline under root folder. This will work.

Resources