ASP.NET Vulnerability Allows Downloading of Server Files (and Decrypt Viewstate)

ANOTHER UPDATE: Sitecore released a fix last Friday on SDN.

UPDATE: A FAQ that details more about the workaround and the vulnerability was released on Sep 20.

Yes.  You read that right.  Essentially, by doing some queries on the server that has an ASP.NET-based Website/app, a hacker can eventually figure out how to download restricted files like web.config and even be able to determine the server’s cipher text and decrypt your site’s Viewstate or other encrypted data you may have. 
I’m posting this here because Sitecore is obviously ASP.NET-based.  So, here’s the post form Scott Guthrie on the workaround and more information about the vulnerability.  Spread it around and let’s make sure our community is safe and keep Sitecore’s integrity intact (even though this is not even about Sitecore).  You know how that works : ).
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

Sitecore for President (well for Government Sites)

Roundedcube will be featuring Sitecore at the National Association of Government Webmasters (NAGW) to be held in St. Louis, MO from Sept. 22 – 24.  We’re definitely excited for being part of the show because I think we definitely got something to show.  One of the highlights will be our work for the City of Ogden, UT which was released last year (a Sitecore case study is also available if you want a copy).
One of our goals in the NAGW show is to feature how Sitecore’s capabilities match up with government sites’ needs and processes.  This is not just in the technical point of view but also with its user-experience, deployment scenarios, maintenance, and multi-site/multi-language capabilities.  I think these are some of the most important factors that government entities look for.  So, let’s take a look at them one by on in summary form.  This is by no means the complete list but I’m highlighting what government sites may be looking for.

Customize the Sitecore System Tray

The Sitecore Desktop is just like Windows, it’s customizable.  Not a lot have utilized it because there’s not much about on how to do so except for typical user-specifics such as wallpaper, desktop shortcuts, etc.  Here is one thing you can do to the system tray. 

WARNING: Make sure to be cautious when making these changes as these updates the Core database.

Dynamic Sitecore Desktop

I was playing around with Sitecore and I saw John West’s way of randomizing the desktop wallpaper.  He uses a loggingin pipeline processor that essentially updates the Wallpaper property of the user.  It’s pretty cool….so I get to thinking…let me try to make it more dynamic. 

Sitecore to Support MVC…What Do You Think?

When I first saw that Sitecore is going to support the MVC architecture in a future release, I wasn’t sure exactly what that means.  I have some experience with MVC.  I know about ASP.NET’s implementation and also the S#arp Architecture that improves upon Microsoft’s version.  To me, MVC architecture is great with applications.  It allows me to separate (decouple) the various layers and actually make coding them a lot easier and focused.  So I ask, is this a way for Sitecore to tell us to start building apps with the Sitecore framework as well? 

I would really like to know up to what level the MVC support will be.  Will there be technology preview?  I would like to get a hand on an alpha release and see how it compares with the other architectures.  I’d like to be able to play with it using ASP.NET MVC Web controls or other commercial libraries.  Maybe Sitecore will just support it to allow those parts of a Website that requires more complex logic, that may be easier to implement with MVC, that are more code-heavy to implement.  I don’t see it being used on a Website which is what a CMS is for. But, I do see it being used for an Intranet or even Sitecore applications.

I’ve seen some forum posts and inquiries about MVC within Sitecore. I’m not sure exactly what they are doing so I can’t speak for them.  However, if you’re reading this and have done it, comment back or post a link to your blog that talks about it.  I think there are tons of people wondering about how one decides on using MVC or just typical ASP.NET form-based approach. 

If you have your own take on this….let us know.

Taking Advantage of Sitecore Dictionary and Tokens

The Sitecore Dictionary is one of the newer features that may have gotten under a developer’s radar.  I’m sure there has been chances when a page design element just doesn’t fit any of the data template fields that’s been defined. Designers or content developers always surprise Sitecore developers with “minor” requirements that have been left out in the specs just because it’s so trivial.  In the CMS world, nothing is trivial because of the fact that site owners want as much control on the site as possible (without going back to a developer – this has been the issue forever).