Search Results

Search found 15415 results on 617 pages for 'security groups'.

Page 104/617 | < Previous Page | 100 101 102 103 104 105 106 107 108 109 110 111  | Next Page >

  • Is web.config more secure than a class?

    - by o-logn
    I was reading a tutorial on ASP.NET and third party API's and it mentioned that the API KEY and SECRET KEY should be stored in the web.config file, for security on production servers, instead of in the classes that use them. However, I'm not quite sure what's more secure about a web.config file than a class? I understand the convenience of storing it in a config file, but I don't see the security benefit?

    Read the article

  • Using a password to generate two distinct hashes without reducing password security

    - by Nevins
    Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database. I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys. My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key. Is there a better way to do this that I haven't thought of? Thanks

    Read the article

  • Security sandbox violation when connecting to Socket from flex

    - by KensoDev
    Hi, I am using a Socket (not xmlSocket) connection between flex applications and the server pushing messages. Now, when I connect from the local machine to the server everything is working file and running, connection is succesful and I get data back and forth. When I upload the application (flex) to the server and run it from there, I get a security sandBox violation message. Note: 1. I do have a crossdomain file with * wildcard both on port and on domain. 2. I created a Securiy.allowDomain("*") as well. Another thing. I also created another listener on that same server, listening to connections for port 843 (default) and this service just waited for a connection send policy file to the client and that's it. That did not solve the problem as well... That's next? What should I do to fix the problem? Appreciate your help. Avi

    Read the article

  • Java Security filter together with thickbox pop-ups

    - by user197127
    Hi, I have a java application that uses a security filter to protect certain resources. If there is no user logged on, it will keep in session the request path and redirect to a logon page. After a successful logon, user is redirected to the original requested page. I have now added some thickbox (ajax bases pop-up) popups to the application. Unfortunately, when I get now a popup that is "secure" the filter redirects to a logon page (which is not a popup) and makes the whole application messy. Anyone with ideas on how to solve this? Thanks

    Read the article

  • php: security question

    - by Syom
    in my cms i have index.php, where client must enter username and password. if they are correct, he'll moove to admin.php, where the cms is. but now hacker can enter to cms/admin.php, so my security now is awful. i know, that i can use $_SESSION variable. index.php - i can give some value to $_SESSION['error']: $_SESSION['error'] = TRUE, and in admin.php just verify it admin.php if($_SESSION['error'] == TRUE) { my script here... } else header("Location: index.php"); but i want to rich this effect without SESSION. could you give me an idea, how can i do it? thanks

    Read the article

  • ASP .Net User Roles - ordering for a drop down.

    - by ilivewithian
    We are using the standard aspnet security features, we have need to set the order of the roles, purely for display purposes. We could just have a sequence number onto the end of the aspnet_roles table, but that feels kinds of hacky to me. Also if in future versions of asp the security get changed we will be in trouble. Is there a better way to do this that won't make me loose sleep each time a new version is pushed out?

    Read the article

  • php error message "Notice: Undefined index: aid"

    - by iaagty
    I'm looking for a complete list of security guidelines for programming and deploying PHP web sites and applications on an Apache (Linux) server. Basically, a "security check list" to run through before finishing a project. I.e., Cross Site Scripting Cross Site Request Forgery Sanitize form data that goes into database Disable register globals and error reporting in custom php.ini Upload files below web root ...(the list goes on) I did some searching on the internet and in this forum, but couldn't find a comprehensive, succinct, and complete list of guidelines. Thanks in advance.

    Read the article

  • WSAT Security tab error for Custom Role provider

    - by shesb
    I have created custome Membership Role and Profile provider using INGRES db. Now I can see my IngresMembership and IngresRole provider in the Provider tab(Select a different provider for each feature (advanced) ) of WSAT but when I clik on security tab I get this error: "There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store. The following message may help in diagnosing the problem: Object reference not set to an instance of an object." What am I missing? Do I need to add code for all override methods for Role provider? I have just written code for the Initialize and GetRolesForUser functions. Thanks

    Read the article

  • Security when writing a PHP webservice?

    - by chustar
    I am writing a web service in PHP for the first time and had ran into some security problems. 1) I am planning to hash passwords using md5() before I write them to the database (or to authenticate the user) but I realize that to do that, I would have to transmit the password in plaintext to the server and hash it there. Because of this I thought of md5()ing it with javascript client side and then rehashing on the server but then if javascript is disabled, then the user can't login, right? 2) I have heard that anything that when the action is readonly, you should use GET but if it modifies the database, you should use POST. Isn't post just as transparent as GET, just not in the address bar?

    Read the article

  • Are SqlCipher open cursors a security concern?

    - by user1178479
    I'm using SqlCipher with content providers. Right now, when I want to lock the app I just clear out the cached password. However, the app can continue to work with any open cursors. This means that re-opening the app grants access to the sensitive data. I fix this issue on the surface by redirecting to a login screen if the app doesn't have passwords. However, I'm concerned if there are any security issues with these open cursors or if I should just continue to block UI access and not worry? SqlCipher's docs say that it reads/writes encrypted pages on the fly, as opposed to decrypting the entire DB, this makes me think that open cursors are still secure. The main concern here is that someone loses their phone and then a knowledgeable individual can use these open cursors to extract sensitive data.

    Read the article

  • Security in HTTP Adapters

    - by Debopam
    I just started using IBM Worklight 5.0. I have been going through the HTTP Adapters recently and have successfully been able to Run as "Invoke Worklight Procedure". But I am stuck with the Adapter execution in the App. To my knowledge I think this is some kind of security issue where the client request to Worklight Server is unauthorized (401). Can any tell me or refer to some blog/website where there are steps to overcome this problem? I already got some of the websites but at this moment I am really confused on how to use them.

    Read the article

  • Crackers - How do they do it, how do we fight back?

    - by zedo
    As someone who is interested in learning more about the security side of technology, I ask you all the following questions: How is it that crackers crack software? What techniques are used to do so? I would imagine that the cracking methods depend upon the language the software is written in, right? Aside from using something like cloud-based security for SaaS ((software as a service) which isn't always an option), what choices does one have to prevent their software from being compromised?

    Read the article

  • ssl security information on internet explorer 6

    - by user309984
    Hi all, I dont want that my webpage show security information about this page contains both secure and nonsecure... this only happen in ie6, i am testing with the program ietester. I know that the problem is in file mootools-1.11-uncompressed.js in this line if(!$("ie_ready")){var C=(window.location.protocol=="https:")?"://0":"javascript:void(0);";document.write('<\/script');$("ie_ready").onreadystatechange=function(){if(this.readyState=="complete"){A();}};}}else{window.addListener("load",A);document.addListener("DOMContentLoaded",A); i already try change the ://0 by https://0 and javascript: and javascript:false and # but the problem continues, when i remove this line from the mootools file the warning doesnt show but the code that i have to show some calendar doesnt work also, because i have something like /* and this doesnt work if i remove that line, can anyone help me??

    Read the article

  • DRY vs Security and Maintainability with MVC and View Models

    - by Mystere Man
    I like to strive for DRY, and obviously it's not always possible. However, I have to scratch my head over a concept that seems pretty common in MVC, that of the "View Model". The View Model is designed to only pass the minimum amount of information to the view, for both security, maintainability, and testing concerns. I get that. It makes sense. However, from a DRY perspective, a View Model is simply duplicating data you already have. The View Model may be temporary, and used only as a DTO, but you're basically maintaing two different versions of the same model which seems to violate the DRY principal. Do View Models violate DRY? Are they a necessary evil? Do they do more good than bad?

    Read the article

  • Installing Security Certifcates for all users on a Windows XP machine

    - by scott-thornton
    Hi, I am required to install two security certifcates on user's PC's to allow them to connect to a certain Australian Government website to perform searchs. I can perform this manually (via Certifcate Import Wizard) when the user has logged into the machine, however when a different user logs in, the certifcates need to be re-installed for that user as well. Q1. Can certifcates ( the file extension is .p12) be installed in such a way that any user using the PC can use the certifcates? Q2. Can the installation of the certifcates be automated ( via SMS? ) to install both certifcates and enter the requried password? Thanks,

    Read the article

  • Preventing a security breach

    - by Wiz
    I am creating a website where you "post", and the form content is saved in a MySql database, and upon loading the page, is retrieved, similar to facebook. I construct all the posts and insert raw html into a template. The thing is, as I was testing, I noticed that I could write javascript or other HTML into the form and submit it, and upon reloading, the html or JS would treated as source code, not a post. I figured that some simple encoding would do the trick, but using is not working. Is there an efficient way to prevent this type of security hole?

    Read the article

  • Entity Framework Security

    - by NYSystemsAnalyst
    In my organization, we are just beginning to use the Entity Framework for some applications. In the past, we have pushed developers to utilize stored procedures for all database access. In addition to helping with SQL injection, we tried to grant logins access to stored procedures only to keep security relatively tight. Although inserting, updating, and deleting are easily done through stored procedures in the EF, it appears to be difficult to use stored procedures to query data with EF. However, using LINQ or Entity SQL and allowing EF to create the queries means giving a user read access to the entire database. How have others handled this dilemma?

    Read the article

  • Session attacks, what are the new breeds of attacks ?

    - by user352321
    Hello, I am collecting as information as possible about http(s) session attacks. There is a plenty of information about existing attacks, but, i would like to know if some new breeds of attacks are now made possible either by security flaws in popular software or technologies or by new smarter security engineering. Do you have some recommendations about new techniques or tools ? Thanks,

    Read the article

  • Do email forms need to be santized before sending?

    - by levi
    I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure. Your website contains pages that do not properly sanitize visitor-provided input to make sure it contains no malicious content or scripts. Cross-site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor's browser. Output: The request string used to detect this flaw was : /cross_site_scripting.?nasl.asp The output was : HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server: Apache\r X-Pingback:http://?CLIENTSWEBSITE.com/?xmlrpc.php\r Expires: Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache, must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie: PHPSESSID=?1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21 Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection: Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html; charset=UTF-8\r \r <div id="contact-form" class="widget"><form action="http://?CLIENTSWEBSITE.c om/<script>cross_site_?scripting.nasl</script>.asp" id="contactForm" meth od="post"> It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff). Is there any a security issues here? Any ideas on how I can satisfy the security scanner? Here is the form and script: <form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post"> <input type="text" name="Name" id="Name" value="" class="txt requiredField name" /> //Some more text inputs <input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" /> <input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" /> </form> // Some initial JS validation, if that passes an ajax post is made to the script below //If the form is submitted if(isset($_POST['submitted'])) { //Check captcha if (isset($_POST["captchaPrefix"])) { $capt = new ReallySimpleCaptcha(); $correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] ); if( ! $correct ) { echo false; die(); } else { $capt->remove( $_POST["captchaPrefix"] ); } } $dateon = $_POST["dateon"]; $ToEmail = $_POST["sendadd"]; $EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title'); $mailheader = "From: ".$_POST["Email"]."\r\n"; $mailheader .= "Reply-To: ".$_POST["Email"]."\r\n"; $mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n"; $MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>"; $MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>"; $MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>"; if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";} $MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>"; mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure"); echo true; die(); }

    Read the article

  • WCF Authentication on the Internet - HELP

    - by Eddie
    I have a WCF service using the basicHTTP binding. The service will be targeted to be deployed in production in a DMZ environment on a Windows Server 2008 64 bit running IIS 7.0 and is not in an Active Directory domain. The service will be accessed by a business partner over the Internet with SSL protection. Originally, I had built the service to use x.509 Message authentication with wsHTTPBinding and after a lot of problems I punted and decided to back up and use basicHTTP with UserName authentication. Result: same exact, obscure error message as I received with certificate mode. The service works perfectly inside our domain with the exact same authentication but as soon as I move it to the DMZ I get an error reading: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail". The inner exception message is: "An error occurred when verifying security for the message." The services' web config with binding configuration is as follows: <services> <service behaviorConfiguration="HSSanoviaFacade.Service1Behavior" name="HSSanoviaFacade.HSSanoviaFacade"> <endpoint address="" binding="basicHttpBinding" contract="HSSanoviaFacade.IHSSanoviaFacade" bindingConfiguration="basicHttp"> <identity> <dns value="localhost" /> </identity> </endpoint> <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" /> <host> <baseAddresses> <add baseAddress="https://FULLY QUALIFIED HOST NAME CHANGED TO PROTECT/> </baseAddresses> </host> </service> </services> <bindings> <basicHttpBinding> <binding name="basicHttp"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> </security> </binding> </basicHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior name="HSSanoviaFacade.Service1Behavior"> <serviceMetadata httpsGetEnabled="True" /> <serviceDebug includeExceptionDetailInFaults="True" /> </behavior> </serviceBehaviors> </behaviors> The test client's configuration that gets the error: <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_IHSSanoviaFacade" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://HOST NAME CHANGED TO PROTECT" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IHSSanoviaFacade" contract="MembersService.IHSSanoviaFacade" name="BasicHttpBinding_IHSSanoviaFacade" /> </client> As mentioned earlier, the service works perfectly on the domain and the production IIS box is not on a domain. I have been tweaking and pulling my hair out for 2 weeks now and nothing seems to work. If anyone can help I would appreciate it. Even a recommendation for a work around for authentication. I'd rather not use a custom authentication scheme but use built-in SOAP capabilities. The credentials pass in thru the proxy i.e. proxy.ClientCredentials.UserName.UserName and proxy.ClientCredentials.UserName.Password are valid accounts on both the internal domain in the test environment and as a machine account on the DMZ IIS box.

    Read the article

  • How should I set up protection for the database against sql injection when all the php scripts are flawed?

    - by Tchalvak
    I've inherited a php web app that is very insecure, with a history of sql injection. I can't fix the scripts immediately, I rather need them to be running to have the website running, and there are too many php scripts to deal with from the php end first. I do, however, have full control over the server and the software on the server, including full control over the mysql database and it's users. Let's estimate it at something like 300 scripts overall, 40 semi-private scripts, and 20 private/secure scripts. So my question is how best to go about securing the data, with the implicit assumption that sql injection from the php side (e.g. somewhere in that list of 300 scripts) is inevitable? My first-draft plan is to create multiple tiers of different permissioned users in the mysql database. In this way I can secure the data & scripts in most need of securing first ("private/secure" category), then the second tier of database tables & scripts ("semi-private"), and finally deal with the security of the rest of the php app overall (with the result of finally securing the database tables that essentially deal with "public" information, e.g. stuff that even just viewing the homepage requires). So, 3 database users (public, semi-private, and secure), with a different user connecting for each of three different groups of scripts (the secure scripts, the semi-private scripts, and the public scripts). In this way, I can prevent all access to "secure" from "public" or from "semi-private", and to "semi-private" from "public". Are there other alternatives that I should look into? If a tiered access system is the way to go, what approaches are best?

    Read the article

  • File permissions on web server

    - by plua
    I have just read this useful article on files permissions, and I am about to implement a as-strict-as-possible file permissions policy on our webserver. Our situation: we have a web server accessed through sftp by different users from within our company, and we have the general public accessing Apache - sometimes uploading files through PHP. I distinguish folders and files by their use. So based on this reading, here is my plan: All people who need to upload files will have separate users. But all of those users will belong to two groups: uploaders, and webserver. Apache will belong to the group webserver. Directories Permission: 771 Owner: user:uploaders Explanation: to access files in the folder, everybody needs to have execute permission. Only uploaders will be adding/removing files, so they also get r+w permission. Files within the web-root Permission: 664 Owner: user:uploaders Explanation: they will be uploaded and changed by different users, so both owner and group need to have w+r permissions. Webserver needs to only read files, so r permission only. Upload-directories Permission: 771 Owner: user:webserver Explanation: when files need to be uploaded, Apache needs to be able to write to this directory. But I figure it is safer to change the owner to webroot, thus giving Apache sufficient privileges (and all uploaders also belong to this group and will have the same permissions), while safeguarding from "others" writing to this folder. Uploaded files Permission: 664 Owner: user:webserver Explanation: after uploading Apache might need to delete files, but this is no problem because they have w+r permission of the folder. So no need to make this file any more accessible than r access for group. Being not an expert on file permissions, my question is whether or not this is the best possible policy for our situation? Any suggestions welcome.

    Read the article

  • WCF net.tcp bindings, message formats and security questions

    - by RemotecUk
    Hi, sorry for the stupid questions but there are just some things about WCF I cant get my head around. Would be greatful for some advice on the following.... At a very basic level is it correct that WCF uses either Binary (Net.Tcp), HTTP or MSMQ to transfer my message on the wire? However is it true that in all cases, regardless of how the data is transferred the message itself in in the SOAP format with headers and a body? So its a sort of XML message that is transmitted in either HTTP/S or in a binary format. Is Net.Tcp a good choice for my client server app - its similar to a messenger app in that the clients are all remote users on the other side of the firewall to my server. Most things I am reading are telling to use WS* and HTTP. Is Net.Tcp secured by standard and without certificates? - that is - people cannot listen on the wire and decode the data thats going to and from. Is it possible to send a username and password using net.tcp and without an installed certificate? If so I presume I can hook this up to my membership provider and authenticate access to each method on my service contract implementation. I presume that with username and password security, the proxy is initialised with the username and password and that this information is is sent with every request. Then my membership provider will be invoked for each method call and do whatever it needs to do to get the authorisation for the method. Sorry for the dump of questions but would be great to know if Im thinking the right way about how WCF works. Thanks.

    Read the article

  • SQL Exception: "Impersonate Session Security Context" cannot be called in this batch because a simul

    - by kasey
    When opening a connection to SQL Server 2005 from our web app, we occasionally see this error: "Impersonate Session Security Context" cannot be called in this batch because a simultaneous batch has called it. We use MARS and connection pooling. The exception originates from the following piece of code: protected SqlConnection Open() { SqlConnection connection = new SqlConnection(); connection.ConnectionString = m_ConnectionString; if (connection != null) { try { connection.Open(); if (m_ExecuteAsUserName != null) { string sql = Format("EXECUTE AS LOGIN = {0};", m_ExecuteAsUserName); ExecuteCommand(connection, sql); } } catch (Exception exception) { connection.Close(); connection = null; } } return connection; } I found an MS Connect article which suggests that the error is caused when a previous command has not yet terminated before the EXECUTE AS LOGIN command is sent. Yet how can this be if the connection has only just been opened? Could this be something to do with connection pooling interacting strangely with MARS? UPDATE: For the short-term we have implemented a workaround by clearing out the connection pool whenever this happens, to get rid of the bad connection, as it otherwise keeps getting handed back to various users. (Not too bad as this only happens a couple of times a day.) But if anyone has any further ideas, we are still looking out for a real solution...

    Read the article

  • SECURITY Flaws in this design for User authentication.

    - by Shao
    SECURITY Flaws in this design for User authentication. From: http://wiki.pylonshq.com/display/pylonscookbook/Simple+Homegrown+Authentication Note: a. Project follows the MVC pattern. b. Only a user with a valid username and password is allowed submit something. Design: a. Have a base controller from which all controllers are derived from. b. Before any of the actions in the derived controllers are called the system calls a before action in the base controller. c. In each controller user hardcodes the actions that need to be verified in an array. d. The before action first looks in the array that has the actions that are protected and sees if a user is logged in or not by peaking into the session. If a user is present then user is allowed to submit otherwise user is redirected to login page. What do you think?

    Read the article

< Previous Page | 100 101 102 103 104 105 106 107 108 109 110 111  | Next Page >