Pages

Monday, 30 January 2012

Microsoft Security Bulletin MS11-100 and MaxHttpCollectionKeys

On 29th December 2011, Microsoft released a patch to fix vulnerabilities in the .NET Framework - update MS11-100 http://support.microsoft.com/kb/2638420


One unfortunate side effect of this update is the limiting of the MaxHttpCollectionKeys value, which causes problems with HTTP submissions with lots of form elements. I believe it is now limited to 500, but I cannot find any details confirming this. 


To increase this limit for an application that needs to submit more than 500 elements, add the following key to the webconfig file in your web site or web application:



<appSettings>
    <add key="aspnet:MaxHttpCollectionKeys" value="1000" />
</appSettings>

I hope this helps someone, as I had to implement this as a fix quite recently for a web application.

Monday, 23 January 2012

Connecting to SQL Azure with Dynamic IP Addresses

SQL Azure does a good job of security by locking down access with a firewall by default. As more and more companies trust their data to the cloud, cloud based solutions will likely become a target more and more focused on by people attempting to steal data.

SQL Azure currently offers a free three month trial, and I would recommend all Web Developers who develop database-driven solutions to try it. More details can be found at: http://www.windowsazure.com/en-us/pricing/free-trial/

Whilst I've said what a good job of security SQL Azure does, anyone trialing SQL Azure may run into problems with the security settings. When creating a new SQL Azure instances, the setup wizard asks you to specify firewall rules:



As you can see, a firewall rule needs to be created that allows either 1 IP address or an IP address range to access the SQL Azure database. If you have a web application hosted on a server, then you can create a firewall rule for the IP address of that server - bingo, your application can access the database. Likewise if you have a static IP address at home and/or work you can create rules for those IP addresses too, to access the database when debugging or using SQL Management Studio.

The problem is where you have dynamic IP addresses, and this is not necessarily limited to home internet connections - several business broadband providers use dynamic IP addresses too. 

If you need to access your SQL Azure instance from a connection that has a dynamic IP address for debugging or using SQL Management Studio, you will need to create a firewall rule for the entire IP address range your ISP uses. As you can appreciate, this instantly this dilutes the security that comes with using SQL Azure.

If you do want to add the entire IP address range for your ISP, you will need to:

1. Go to http://whatsmyip.org to get your current IP address assigned by your ISP.
2. Lookup the IP address range assigned to your ISP by using https://apps.db.ripe.net/search/query.html and entering the IP address from step 1.
3. Create a firewall rule using the start IP address and the end IP address from step 2.

I do hope the Azure team will implement other firewall options in the future, such as DNS or MAC address based access rules.