Help - My Development Site Has No Images

I was recently working with developer in another company, and had sent him a project which he was going to update and maintain. The site was developed in VS 2005 using C#.net (with AJAX) and was working on my local development machine and in production.

He copied the project code onto his Windows XP computer and opened the project in VS 2008 and received a bunch of compile errors. The most notable error was "Could not load file or assembly 'System.Web.Extensions" we tracked the problem down to the project using AJAX .Net version 1.x with VS 2005. He fixed that problem and the site compiled, but when he went to play the project (run in debug), the site showed only the text, no images were visible.

We checked the images directory and it showed the proper file names, next we checked the CSS path and directory. It was OK - Several images were used as background images on the site, that is why we looked at the CSS directory. It turns out the problem was related to the access permissions.

The site used the dotNetSQL membership provider and <deny users="*"> </deny>was set in the authorization section of the web.config file. After the user logged in one expects the sub-directories to inherit the permission for that user. But they were not. Our workaround was to explicitly set the permission to allow all for those sub-directories.

The developer was using Windows XP and was not running IIS on his machine. Therefore they were relying on the web server from VS 2008. If anyone else runs across this issue I hope this helps solves the problem.

More SQL Injection

This past week I fixed a third site in three months that suffered from a SQL injection attack. (Not sites Zajon built.) Last year I saw one site with this problem.

I thought I'd pass along this information/tool regarding SQL injection attacks on sites that use databases. If your corporate web sites uses a database to track or record information, or you manage sites like that for clients, I'd recommend you read look at this.

HP has developed a tool, called "scrawl"to test sites for SQL injection attacks. They have posted a free version of the tool (it runs on Windows PCs - not Macs) that has some restrictions when compared to the retail version. Here is the URL from HP's security Blog where they discuss this tool.

http://www.communities.hp.com/securitysoftware/ blogs/spilabs/archive/2008/06/23/ finding-sql-injection-with-scrawlr.aspx

I would suggest you download and run this tool if you don't have a way for testing database driven sites with for SQL injection vulnerabilities. While it is not perfect - so don't think your site is invulnerable if no problems are reported. The Scrawl tool is a good place to start.

- Post Script (July 17): I sent an e-mail, which had the same information as this post, to several of my clients and people with which I work. Today I heard from an angency I work with, one of their client sites had suffered an SQL injection attack. The count is now four in three months.