BitDiffer – Doing Assembly Differences

Two weeks ago, Paulo posted about “The Architecture Tool Space Keeps Growing“. On this post, Paulo talked about new tools and the continuous improvements in the existing ones.

Well, more recently I read this Scott Hanselman post. Here, Scott talk, apart several other things, about tools for doing Assembly Differences and between them there are new one called BitDiffer.

In the Scott tests, this tool crashed 🙁

Today, I took some time and install the BitDiffer version 1.3.0.11 so I can explore a little.

BitDiffer 1.3.0.11

Here are my thoughts:

Advantages

  • Simple but yet complete UI
  • Fast – it took only a 3-5 seconds to compare two versions.
  • Includes a Command Line version

Disadvantages

  • Exports only to HTML / XML format
  • Drag-And-Drop still not working
  • It’s not free

Final note

BitDiffer is very similar to Framework Design Studio in functionality but when coming to usability I think it’s more intuitive (even without the Drag-And-Drop).

If Gref Ennis add support for Drag-And-Drop and side-by-side comparing code changes, then I will definitely consider to buy it.

I’ve been Hacked – BlogEngine.NET v1.3 Security Hole

As some of you may have noticed, my blog was hacked last 27 April, and all posts have been removed.

After spending a few hours recovering the lost content I focus myself trying to understand the attack vector.

It didn’t take too long until I found how to hack my own blog.

It was a BlogEngine.NET v1.3.0.x security problem related to the js.axd handler(This handler purpose is to serve *.js files) that allows everyone to get any file from your domain, even the critical ones like web.config or App_Datausers.xml. [more]

You can read more on code details in this Danny Douglass post.

I’ve think a lot before wrote the following lines, but decided that people should know how easily is to hack their sites (hackers already know it :-)).

The practical work of hacking a BlogEngine.Net v1.3.0.x blog is the following:

  1. Identify a blog running the correct version (anyone  like 1.3.0.x) – this is easily done using this Google search.
  2. Use the js.axd to get the specific BE.Net users.xml file (this file contains the list of users and theirs passwords in plain text ?!!! …. it’s not a mistake … plain text) – the syntax is http://hackedblog/js.axd?path=App_Data/users.xml
  3. Login to the hacked blog with the stolen credentials and then … the hacker usually delete all posts and post one of it’s own :-(.

That’s it … Now that you know how to do it, I hope you don’t use this knowledge to cause malware and instead alert all your friend about this security hole.

A security patch is available since 14 April and it works fine.

By this time I already recovered my posts and secured my blog but still worried about it.

My thoughts were about “why I didn’t spent some time to review the BE code?”. If I had done that I could have found this security hole(it was really easy to find) or another one that could still be over there.

I have learned a few lesson with this episode:

  • keep backups updated
  • keep backups safe
  • and most of all I really learn that free software is great, open source is even better but I definitely must not thrust blindly the source.

If we all keep these worries in mind and review the code we will feel safer and we will all be contributing to solution improvement.