Wow, a pretty serious one this.

 Version 1.3 of BlogEngine.NET has a security flaw that allows an attacker to view the source code of any file in your blog directory. Update: Make that any file on your website, not just in the blog.

This includes your web.config file, sql.config file and the scariest of all, the users.xml file.

This is the file that, if you're using the default data provider (XML) holds all the user login details for your blog. That's right, admin usernames and passwords, in clear text.

This vulnerability is already in the wild and a quick search on Google reveals about 185, 000 results. That's a lot of vulnerable blogs.

 There's already a patch for this flaw, but it seems that the download link might be broken. In the meantime, as a temporary fix, you could probably rename the users.xml/sql.config file to something different i.e. hard to guess. But if you want to keep your blog online, your web.config is still going to be visible, so make sure there's nothing sensitive in there.

The other day I decided to add some really simple health monitoring to my .NET website. That is, if an error occured while someone was browsing the site, then I'd be notified about it and could fix any recurring problems.

I followed a great post by Mads Kristensen which simply involves creating a Web.config file like so:

<?xml version="1.0"?>
<configuration>
   <appSettings/>
   <connectionStrings/>

   <system.web>
      <compilation debug="false" />
      <trace enabled="true" localOnly="false" />

      <healthMonitoring enabled="true">
         <providers>
            <add name="EmailProvider" 
               type="System.Web.Management.SimpleMailWebEventProvider"
               from="you@domain.com"
               to="you@domain.com"
               subjectPrefix="Error: "
               buffer="true"
               bufferMode="Notification" />
         </providers>
         <rules>
            <add provider="EmailProvider" name="All App Events" eventName="All Errors" />
         </rules>
      </healthMonitoring>

   </system.web>
   <system.net>
      <mailSettings>
         <smtp from="you@domain.com">
            <network host="smtp.domain.com" />
         </smtp>
      </mailSettings>
   </system.net>
</configuration>

If you're adding to an existing Web.config, the bits you need are highlighted. The areas are pretty much self explanatory. First you enable tracing, then you specify the health monitoring provder that you want to use. In my case, I used the email provider, which allows you to specify the email addresses you want to send to and from, along with a prefix for the email subject line. There's an MSDN page on the trace element which gives you all the different values for these settings. For example, you may want to restrict the number of error emails that are sent to you within a minute, so that you're not getting spammed. Then finally, the mail settings is just for providing your SMTP server settings.

Anyway, the point of this post wasn't to regugitate Mads' post, but rather to point out that I had implemented this health monitoring myself, and that it was very easy to set up. However, I soon started getting some odd error emails.

These often related to the elements on my site which would not be directly accessed by a user such as the Webresource.axd file and even C# code files. It turns out that the culprit is actually the Google spider, which attempts to access these files, but because they are restricted by .NET, an error is generated. The best solution so far seems to be the use of robots.txt to exclude spiders from accessing these files.

Wow, I've not posted in absolutely ages, which just shows how interesting my life is.

There's been zero fly fishing for months, and all the web development stuff has just been boring stuff for work.

However, BlogEngine.NET has been recently updated to a new version, and now supports Widgets, whatever those are. What caught my attention was a Twitter widget. Now, I've heard about Twitter before, but never really bothered with it because it seemed pretty pointless. The basic gist of it is that it's a service that allows you to tell people what you're doing at that exact moment:

Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?
 

Why someone would want to know what I'm doing at that particular point in time is beyond me, unless they're intent on stalking me or something. So yeah, I think I might download the latest BlogEngine.NET and give this Twitter malarky a go. I'm sure complete stranger will appreciate being able to follow my every move, especially when they only come here for the TV links post.

There seems to be some kind of trend recently for online applications and even websites to label themselves as being in 'beta'. I'm pretty sure this can be attributed to Google, whose Gmail has been in beta since it was publicly launched in 2004!

Why something would be in beta this long is beyond me, but it almost seems as if it's to provide some kind of getout clause for companies. If the server crashes and people lose all their data/emails, the company can just say "We told you to use it at your own risk, it was in beta afterall". Does this mean that companies can just rely on 'beta' status to get them out of trouble? If so, is this acceptable? You wouldn't buy a car which was still in testing, would you.

What do you think? Are these completely open, very long term beta tests the way forward, or do you feel uneasy using such an application?

Don't even get me started on websites that include one of those 'Web 2.0' style stars declaring it's in beta. How can a website be in beta?!

---------------

The content of this post may change in the future. It is in beta, after all.