Search Results

Search found 17646 results on 706 pages for 'security warning'.

Page 109/706 | < Previous Page | 105 106 107 108 109 110 111 112 113 114 115 116  | Next Page >

  • Security Token/Cross Domain Cookie in Classic ASP?

    - by jlrolin
    I have an interesting conundrum. We have a site that is a completely separate domain, we'll say http://www.x.com and our own site that is http://www.y.com. The y.com site is actually a classic ASP site, and we aren't converting it to .NET at this time. The problem is that there is a link on x.com that redirects to y.com from a members area. We want to "authenticate" the user to make sure they are a member from the other site. If they are, they are directed to a members area on y.com. If not, they have to provide login information on y.com. Cookies obviously don't work due to the cross domain security, but is there a way around this? I've also looked at a service for tokens, but I'm not sure exactly how that works in Classic ASP. Any ideas or suggestions?

    Read the article

  • About SQL Server security

    - by Felipe Fiali
    I have an ASP.NET application which runs under the Classic .NET AppPool in IIS. I have a report to render from my website. The problem is SQL Server keeps telling me that it failed to create a connection to the datasource, because login failed for user IUSR. After adding that user directly to the databse I could get the report to work, but I'm concerned about security. By doing that, am I opening my specified databases to all websites hosted on IIS? Or is that account identity-specific?

    Read the article

  • Is web.config more secure than a class?

    - by o-logn
    I was reading a tutorial on ASP.NET and third party API's and it mentioned that the API KEY and SECRET KEY should be stored in the web.config file, for security on production servers, instead of in the classes that use them. However, I'm not quite sure what's more secure about a web.config file than a class? I understand the convenience of storing it in a config file, but I don't see the security benefit?

    Read the article

  • Using a password to generate two distinct hashes without reducing password security

    - by Nevins
    Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database. I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys. My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key. Is there a better way to do this that I haven't thought of? Thanks

    Read the article

  • Security sandbox violation when connecting to Socket from flex

    - by KensoDev
    Hi, I am using a Socket (not xmlSocket) connection between flex applications and the server pushing messages. Now, when I connect from the local machine to the server everything is working file and running, connection is succesful and I get data back and forth. When I upload the application (flex) to the server and run it from there, I get a security sandBox violation message. Note: 1. I do have a crossdomain file with * wildcard both on port and on domain. 2. I created a Securiy.allowDomain("*") as well. Another thing. I also created another listener on that same server, listening to connections for port 843 (default) and this service just waited for a connection send policy file to the client and that's it. That did not solve the problem as well... That's next? What should I do to fix the problem? Appreciate your help. Avi

    Read the article

  • Java Security filter together with thickbox pop-ups

    - by user197127
    Hi, I have a java application that uses a security filter to protect certain resources. If there is no user logged on, it will keep in session the request path and redirect to a logon page. After a successful logon, user is redirected to the original requested page. I have now added some thickbox (ajax bases pop-up) popups to the application. Unfortunately, when I get now a popup that is "secure" the filter redirects to a logon page (which is not a popup) and makes the whole application messy. Anyone with ideas on how to solve this? Thanks

    Read the article

  • php: security question

    - by Syom
    in my cms i have index.php, where client must enter username and password. if they are correct, he'll moove to admin.php, where the cms is. but now hacker can enter to cms/admin.php, so my security now is awful. i know, that i can use $_SESSION variable. index.php - i can give some value to $_SESSION['error']: $_SESSION['error'] = TRUE, and in admin.php just verify it admin.php if($_SESSION['error'] == TRUE) { my script here... } else header("Location: index.php"); but i want to rich this effect without SESSION. could you give me an idea, how can i do it? thanks

    Read the article

  • ASP .Net User Roles - ordering for a drop down.

    - by ilivewithian
    We are using the standard aspnet security features, we have need to set the order of the roles, purely for display purposes. We could just have a sequence number onto the end of the aspnet_roles table, but that feels kinds of hacky to me. Also if in future versions of asp the security get changed we will be in trouble. Is there a better way to do this that won't make me loose sleep each time a new version is pushed out?

    Read the article

  • php error message "Notice: Undefined index: aid"

    - by iaagty
    I'm looking for a complete list of security guidelines for programming and deploying PHP web sites and applications on an Apache (Linux) server. Basically, a "security check list" to run through before finishing a project. I.e., Cross Site Scripting Cross Site Request Forgery Sanitize form data that goes into database Disable register globals and error reporting in custom php.ini Upload files below web root ...(the list goes on) I did some searching on the internet and in this forum, but couldn't find a comprehensive, succinct, and complete list of guidelines. Thanks in advance.

    Read the article

  • WSAT Security tab error for Custom Role provider

    - by shesb
    I have created custome Membership Role and Profile provider using INGRES db. Now I can see my IngresMembership and IngresRole provider in the Provider tab(Select a different provider for each feature (advanced) ) of WSAT but when I clik on security tab I get this error: "There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store. The following message may help in diagnosing the problem: Object reference not set to an instance of an object." What am I missing? Do I need to add code for all override methods for Role provider? I have just written code for the Initialize and GetRolesForUser functions. Thanks

    Read the article

  • Security when writing a PHP webservice?

    - by chustar
    I am writing a web service in PHP for the first time and had ran into some security problems. 1) I am planning to hash passwords using md5() before I write them to the database (or to authenticate the user) but I realize that to do that, I would have to transmit the password in plaintext to the server and hash it there. Because of this I thought of md5()ing it with javascript client side and then rehashing on the server but then if javascript is disabled, then the user can't login, right? 2) I have heard that anything that when the action is readonly, you should use GET but if it modifies the database, you should use POST. Isn't post just as transparent as GET, just not in the address bar?

    Read the article

  • Are SqlCipher open cursors a security concern?

    - by user1178479
    I'm using SqlCipher with content providers. Right now, when I want to lock the app I just clear out the cached password. However, the app can continue to work with any open cursors. This means that re-opening the app grants access to the sensitive data. I fix this issue on the surface by redirecting to a login screen if the app doesn't have passwords. However, I'm concerned if there are any security issues with these open cursors or if I should just continue to block UI access and not worry? SqlCipher's docs say that it reads/writes encrypted pages on the fly, as opposed to decrypting the entire DB, this makes me think that open cursors are still secure. The main concern here is that someone loses their phone and then a knowledgeable individual can use these open cursors to extract sensitive data.

    Read the article

  • Security in HTTP Adapters

    - by Debopam
    I just started using IBM Worklight 5.0. I have been going through the HTTP Adapters recently and have successfully been able to Run as "Invoke Worklight Procedure". But I am stuck with the Adapter execution in the App. To my knowledge I think this is some kind of security issue where the client request to Worklight Server is unauthorized (401). Can any tell me or refer to some blog/website where there are steps to overcome this problem? I already got some of the websites but at this moment I am really confused on how to use them.

    Read the article

  • Crackers - How do they do it, how do we fight back?

    - by zedo
    As someone who is interested in learning more about the security side of technology, I ask you all the following questions: How is it that crackers crack software? What techniques are used to do so? I would imagine that the cracking methods depend upon the language the software is written in, right? Aside from using something like cloud-based security for SaaS ((software as a service) which isn't always an option), what choices does one have to prevent their software from being compromised?

    Read the article

  • DRY vs Security and Maintainability with MVC and View Models

    - by Mystere Man
    I like to strive for DRY, and obviously it's not always possible. However, I have to scratch my head over a concept that seems pretty common in MVC, that of the "View Model". The View Model is designed to only pass the minimum amount of information to the view, for both security, maintainability, and testing concerns. I get that. It makes sense. However, from a DRY perspective, a View Model is simply duplicating data you already have. The View Model may be temporary, and used only as a DTO, but you're basically maintaing two different versions of the same model which seems to violate the DRY principal. Do View Models violate DRY? Are they a necessary evil? Do they do more good than bad?

    Read the article

  • Installing Security Certifcates for all users on a Windows XP machine

    - by scott-thornton
    Hi, I am required to install two security certifcates on user's PC's to allow them to connect to a certain Australian Government website to perform searchs. I can perform this manually (via Certifcate Import Wizard) when the user has logged into the machine, however when a different user logs in, the certifcates need to be re-installed for that user as well. Q1. Can certifcates ( the file extension is .p12) be installed in such a way that any user using the PC can use the certifcates? Q2. Can the installation of the certifcates be automated ( via SMS? ) to install both certifcates and enter the requried password? Thanks,

    Read the article

  • Preventing a security breach

    - by Wiz
    I am creating a website where you "post", and the form content is saved in a MySql database, and upon loading the page, is retrieved, similar to facebook. I construct all the posts and insert raw html into a template. The thing is, as I was testing, I noticed that I could write javascript or other HTML into the form and submit it, and upon reloading, the html or JS would treated as source code, not a post. I figured that some simple encoding would do the trick, but using is not working. Is there an efficient way to prevent this type of security hole?

    Read the article

  • Entity Framework Security

    - by NYSystemsAnalyst
    In my organization, we are just beginning to use the Entity Framework for some applications. In the past, we have pushed developers to utilize stored procedures for all database access. In addition to helping with SQL injection, we tried to grant logins access to stored procedures only to keep security relatively tight. Although inserting, updating, and deleting are easily done through stored procedures in the EF, it appears to be difficult to use stored procedures to query data with EF. However, using LINQ or Entity SQL and allowing EF to create the queries means giving a user read access to the entire database. How have others handled this dilemma?

    Read the article

  • Session attacks, what are the new breeds of attacks ?

    - by user352321
    Hello, I am collecting as information as possible about http(s) session attacks. There is a plenty of information about existing attacks, but, i would like to know if some new breeds of attacks are now made possible either by security flaws in popular software or technologies or by new smarter security engineering. Do you have some recommendations about new techniques or tools ? Thanks,

    Read the article

  • Resetting "HDD Warning???" with Zalman ZM-VE400 external case

    - by 0xC0000022L
    Whenever I turn on (or plug in) the Zalman ZM-VE400 I have, it shows HDD Warning???. Sometimes briefly, sometimes until the Menu button is pressed. The case contains a SSD drive and as far as I understand the warning relates to the S.M.A.R.T. status of which this drive doesn't support all parts. How can I reset the warning so I don't receive it every time when turning on the drive? Firmware reports: V400_01_040_N Here's what I have tried so far: Unplug and plug back in Open the case and remove the SSD, then put it back in Press the button on the back side (cover removed) while plugged in Press the button on the back side (cover removed) while not plugged in USB Connect = Refresh = Enter USB Connect = Safe Removal = Enter Advanced = Umount VHDD = Enter

    Read the article

  • How Ubuntu cloud version enforces the "no root login" over ssh ?

    - by Maxim Veksler
    Hello, I'm looking to tweak ubuntu cloud version default setup where is denies root login. Attempting to connect to such machine yields: maxim@maxim-desktop:~/workspace/integration/deployengine$ ssh [email protected] The authenticity of host 'ec2-204-236-252-95.compute-1.amazonaws.com (204.236.252.95)' can't be established. RSA key fingerprint is 3f:96:f4:b3:b9:4b:4f:21:5f:00:38:2a:bb:41:19:1a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ec2-204-236-252-95.compute-1.amazonaws.com' (RSA) to the list of known hosts. Please login as the ubuntu user rather than root user. Connection to ec2-204-236-252-95.compute-1.amazonaws.com closed. I would like to know where this is setup and how I can change the printed message? Thank you, Maxim.

    Read the article

  • Why does mod_security require an ACCEPT HTTP header field?

    - by ripper234
    After some debugging, I found that the core ruleset of mod_security blocks requests that don't have the (optional!) ACCEPT header field. This is what I find in the logs: ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "example.com"] [uri "/"] [unique_id "T4F5@H8AAQEAAFU6aPEAAAAL"] Why is this header required? I understand that "most" clients send these, but why is their absence considered a security threat?

    Read the article

  • Finding proof of server being compromised by Black Hole Toolkit exploit

    - by cosmicsafari
    I recently took over maintenance of a company server. (Just Host, C Panel, Linux server), theres a tonne of websites on it which i know nothing about. It had came to my attention that a client had attempted to access one of the websites hosted on this server and was met with a warning from windows defender. It had blocked access because it said the website had been compromised by the Black Hole Toolkit or something to that effect. Anyway I went in and updated various plugins and deleted some old suspect websites. I have since ran the website in question through a few online malware scanners and its comes up clean everytime. However im not convinced. Do any of you guys know extensive ways i can check that the server isn't still compromised. I have no way to install any malware scanners or anti virus programs on the server as it is horribly locked down by Just Host.

    Read the article

  • Identifying program attempting to install certificate on windows

    - by R..
    I'm trying to help a friend using Windows (which I'm not an expert on by any means) who's experiencing malware-like behavior: a dialog box is repeatedly popping up reading: You are about to install a certificate from a certification authority (CA) claiming to represent: CE_UmbrellaCert Warning: If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "yes" you acknowledge this risk. AV and anti-malware scanners don't detect anything. My friend hasn't accepted installing the certificate, but whatever program is trying to install it keeps retrying, making the system unusable (constant interruptions). Is there any way to track down which program is making the attempt to install it so this program can be uninstalled/deleted?

    Read the article

< Previous Page | 105 106 107 108 109 110 111 112 113 114 115 116  | Next Page >