Jakub Anderwald

Just wanted to share one thing I noticed at work recently.

When you add a wildcard application map in IIS 5/6, there’s a checkbox called “Verify that file exists”. What it does is that it checks if the file called in URI actually exists on the file system before invoking the specified executable. If the file doesn’t exist, it will just throw HTTP 404.

This causes two issues:
1/ If you have an access control extension mapped like that (e.g. Siteminder), it will be possible to map your website structure without logging in – attacker can just iterate through all file names and find out which ones are there.
2/ If you have additional ISAPI filters mapped that reply to requests for files that are not on the hard drive, they will not be invoked. The first application mapping will reply to the request with HTTP 404. I had this case with Trace.axd file, which is served dynamically by ASP.NET. With the “Verify that file exists”, the request pipe was broken and it never made to ASP.NET

I currently use HTC Touch Pro. It’s small, nice, easy to write on, functional. However, I bouyght it 1,5 years ago and since then there have been newer phones, bigger, faster, with more features.

I usually upgrade my phone every year or two, so I thought – it’s the time.

However, there is no good replacement for Touch Pro. There’s a thing called Touch Pro 2, but it’s just a minor refinement. Moreover, I had a look through HTC’s leaked plans for 2010, they don’t have anything with bigger screen and much better CPU and hardware keyboard. I would love to buy “HD2 Pro”, but it seems it’s not going to happen.

So I decided to do a software upgrade instead, to get the new features. However, it’s a pain in the back. If I don’t want to spend weeks tweaking and building my new mobile OS, I have to download one of the “custom built” ROMs, e.g. from XDA Developers. But they do have issues. They hang, they’re not as stable as the original OS, they miss some features, draw weird things on the screen etc.

How come Apple gives you the newest software, no matter if you have 3-year old iPhone or the new and shiny 3GS, and HTC / Microsoft don’t? Do they fear I won’t buy I new phone? Hell, I will buy, just make me a device with WVGA, Snapdragon CPU and hardware keyboad and I will gladly pay whatever ridiculous price you put on it.

If not, just let me upgrade my phone, don’t make me feel like I’m stuck with whatever I have because I bought it a year ago.

A friend of mine asked me for help recently.

His new Windows 7 laptop could not authenticate to access a network share in a workgroup environment. I said “that’s going to be easy” and ran him through the usual troubleshooting – security logs, share permissions and maximum number of users, password synchronisation etc.. By the time all seemed fine and he said that he already reinstalled the OS on the laptop twice, and that all other machines are working fine with the same share and same username, I realised it’s not one of the “usual suspects”.

After enabling the correct logging procedures, we got two nice failed events in security log on the server – 680 and 529. Based on my experience, event 529 never lies. You can tell with all the certainty in the world, that when a user gets event 529, he made a mistake in his password, there is no other explaination. Well, I’ll have to revise that policy.

Password was set to “1234″ for both accounts and we still got the same error. I had to go to office, so I told him to move the hard drive from the new machine to one of the older ones. I came back couple hours later and saw an IM message from him waiting for me. “DAMN, it worked.”

Reason? Failed motherboard.

Somehow it could connect to the Internet, could browse local network, but failed at authenticating a local account.

Don’t ask me how.

By passing 70-291 I became MCSA. That’s quite odd, I thought I need 4 exams, not just 3, but Microsoft says different so I won’t argue.

Hey, nothing better than a good surprise gift for Saint Nicholas day.

I passed 70-291. It wasn’t that hard, a lot easier than what I heard about it.

I failed completely at RRAS, on the other hand I got 100% points at IP addressing and maintaining infrastruture – seems it’s a good measure of what I really do / know.