Search Results

Search found 14771 results on 591 pages for 'security policy'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 199/591 | < Previous Page | 195 196 197 198 199 200 201 202 203 204 205 206  | Next Page >

  • Block upload of executable images (PHP)

    - by James Simpson
    It has come to my attention that a user has been trying to create an exploit through avatar image uploads. This was discovered when a user reported to me that they were getting a notice from their Norton Anti-virus saying "HTTP Suspicious Executable Image Download." This warning was referencing the user's avatar image. I don't think they had actually achieved anything in the way of stealing information or anything like that, but I assume it could be possible if the hole is left open long enough. I use PHP to upload the image files, and I check if the file being uploaded is a png, jpg, or gif.

    Read the article

  • Is Storing Cookies in a Database Safe?

    - by viatropos
    If I use mechanize, I can, for instance, create a new google analytics profile for a website. I do this by programmatically filling out the login form and storing the cookies in the database. Then, for at least until the cookie expires, I can access my analytics admin panel without having to enter my username and password again. Assuming you can't create a new analytics profile any other way (with OpenAuth or any of that, I don't think it works for actually creating a new Google Analytics profile, the Analytics API is for viewing the data, but I need to create an new analytics profile), is storing the cookie in the database a bad thing? If I do store the cookie in the database, it makes it super easy to programatically login to Google Analytics without the user ever having to go to the browser (maybe the app has functionality that says "user, you can schedule a hook that creates a new anaytics profile for each new domain you create, just enter your credentials once and we'll keep you logged in and safe"). Otherwise I have to keep transferring around emails and passwords which seems worse. So is storing cookies in the database safe?

    Read the article

  • How to Check Authenticity of an AJAX Request

    - by Alex Reisner
    I am designing a web site in which users solve puzzles as quickly as they can. JavaScript is used to time each puzzle, and the number of milliseconds is sent to the server via AJAX when the puzzle is completed. How can I ensure that the time received by the server was not forged by the user? I don't think a session-based authenticity token (the kind used for forms in Rails) is sufficient because I need to authenticate the source of a value, not just the legitimacy of the request. Is there a way to cryptographically sign the request? I can't think of anything that couldn't be duplicated by a hacker. Is any JavaScript, by its exposed, client-side nature, subject to tampering? Am I going to have to use something that gets compiled, like Flash? (Yikes.) Or is there some way to hide a secret key? Or something else I haven't thought of? Update: To clarify, I don't want to penalize people with slow network connections (and network speed should be considered inconsistent), so the timing needs to be 100% client-side (the timer starts only when we know the user can see the puzzle). Also, there is money involved so no amount of "trusting the user" is acceptable.

    Read the article

  • how can I reliably check that requests to my service file have come from my website?

    - by woot586
    I have a service.php class that I use to service AJAX calls from my website. To prevent other people accessing the service using PHP CURL I would normally check the request has come from mysite, and if they are not then just redirect to my home page e.g. if($_SERVER['HTTP_REFERER'] != "http://www.mysite.com"){ header('location: http://www.mysite.com'); exit; } I read in the PHP holy bible: http://www.php.net/manual/en/reserved.variables.server.php that "Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted." So if this method is not reliable, my question is how can I reliably check that requests to my service file have come from my website? Thanks for any help you can provide!

    Read the article

  • Email server; Is this method spam-safe?

    - by Camran
    I have a classifieds website, and on each classified there is a tip-form where users may tip a friend about the classified. The tip-forms' action is set to a php-page, which mails the email after sanitizing etc... I have to filter away spam etc so that my email-server don't get blacklisted or anything... I have my own server (VPS, Linux) and have thought about a solution... How does this sound to you: 1- Install a mail-server 2- Configure Firewall to ONLY allow connections to the mail-server from my website 3- Configure the mail-server so that a maximum of 'x' emails may be sent every 5 minutes or so 4- Create a php filter before sending the mail, which checks for 'bad' words. 5- If necessary, as last resort, ask the user a question (ex 5+5) before submitting form I would rather preferr if I didn't have to implement the 5th implementation above... What do you think? Also, another q I have that you may answer is: If an email-server gets blacklisted, is there any way to un-blacklist it? Or whats the solution if this happens? Thanks

    Read the article

  • Authentication Sceme for RESTful API used by desktop app.

    - by user346087
    I'm providing a RESTful API. This API is used by a third party desktop application. The API is currently secured using Basic Authentication. That isn't very secure because the credentials have to be stored in the client application. The communication between the desktop and API can also easily be intercepter. The desktop application also communicates with a third party server (run by the publisher of the desktop application) I am unable to figure out how the secure the API in a good way. Ideas?

    Read the article

  • Is there a way to test my nonce validation fails when it should?

    - by MrsLannister
    I'm using nonce validation in a wordpress plugin. When I submit the form from the admin menu it processes correctly, so I believe the nonce validation is working. What I'm not sure is if the validation will fail when it is supposed to and I don't know what the best way to test this is. I tried putting the url for the php file in directly, but all it does it take me to a wordpress not found page. Is there some recommended way to test this? Here is my code. Again, the test passes when it is supposed to, I just don't know if it fails when it is supposed to. if ( !wp_verify_nonce( $ecbs_post_data['_wpnonce'], 'ecbs-edit-templates' ) ) { wp_die( __( 'You do not have permission to update this page.' ) ); }

    Read the article

  • Why can't we just use a hash of passphrase as the encryption key (and IV) with symmetric encryption algorithms?

    - by TX_
    Inspired by my previous question, now I have a very interesting idea: Do you really ever need to use Rfc2898DeriveBytes or similar classes to "securely derive" the encryption key and initialization vector from the passphrase string, or will just a simple hash of that string work equally well as a key/IV, when encrypting the data with symmetric algorithm (e.g. AES, DES, etc.)? I see tons of AES encryption code snippets, where Rfc2898DeriveBytes class is used to derive the encryption key and initialization vector (IV) from the password string. It is assumed that one should use a random salt and a shitload of iterations to derive secure enough key/IV for the encryption. While deriving bytes from password string using this method is quite useful in some scenarios, I think that's not applicable when encrypting data with symmetric algorithms! Here is why: using salt makes sense when there is a possibility to build precalculated rainbow tables, and when attacker gets his hands on hash he looks up the original password as a result. But... with symmetric data encryption, I think this is not required, as the hash of password string, or the encryption key, is never stored anywhere. So, if we just get the SHA1 hash of password, and use it as the encryption key/IV, isn't that going to be equally secure? What is the purpose of using Rfc2898DeriveBytes class to generate key/IV from password string (which is a very very performance-intensive operation), when we could just use a SHA1 (or any other) hash of that password? Hash would result in random bit distribution in a key (as opposed to using string bytes directly). And attacker would have to brute-force the whole range of key (e.g. if key length is 256bit he would have to try 2^256 combinations) anyway. So either I'm wrong in a dangerous way, or all those samples of AES encryption (including many upvoted answers here at SO), etc. that use Rfc2898DeriveBytes method to generate encryption key and IV are just wrong.

    Read the article

  • Strongest cipher available to use with C/C++ ?

    - by George0x77
    I am just wondering if you are supposed to write a sort of really secure application with data being transmitted over insecure networks, what kind of encryption algorithm will you use it in order to make it safe ? I know several c++ libraries for encryption providing nice functions with different algorithms, but i'm not quite sure which cipher to use - AES, DES, RSA, Blowfish or maybe something more different ? Please provide your ideas and suggestions. Thank you.

    Read the article

  • How can I cut down on this spam, and what is the point of it anyway?

    - by Steven
    I run a small, niche personal ads site. People post ads and then other people reply to them, which sends an email to the original creator of the ad telling them that someone is interested and giving them contact information for that interested person. Lately there's been some weird spam. People are receiving nonsense replies to their ads. Here is an example of one: Name: xkauwvyr Reply: vRYmbI <a href="http://rypmoxdkfblf.com/">rypmoxdkfblf</a>, url=http://pnjlwvhizwbq.com/]pnjlwvhizwbq[/url], [link=http://hmenwoujxrfv.com/]hmenwoujxrfv[/link], http://ogsekuhoyeud.com/ They vary in length and composition but they all look roughly like that. The first idea I had was to simply throw out any reply that contained the string " Also, is this spam just some ass playing a trick on my website, or is it something more malicious?

    Read the article

  • Is it possible to password protect an SQL server database even from administrators of the server ?

    - by imanabidi
    I want to install an application (ASP.Net + SQL server 2005 express) in local network of some small company for demo but I also want nobody even sysadmin see anything direct from the database and any permission wants a secure pass . I need to spend more time on this article Database Encryption in SQL Server 2008 Enterprise Edition that i found from this answer is-it-possible-to-password-protect-an-sql-server-database but 1.I like to be sure and more clear on this because the other answer in this page says : Yes. you can protect it from everyone except the administrators of the server. 2.if this is possible, the db have to be enterprise edition ? 3.is there any other possible solutions and workaround for this? thanks in advance

    Read the article

  • Why not use HTTPS for everything?

    - by Malfist
    If I was setting up a server, and had the SSL certificate(s), why wouldn't I use HTTPS for the entire site instead of just for purchases/logins? I would think it would make more sense just to encrypt the entire site, and protect the user entirely. It would prevent problems such as deciding what has to be secured because everything would be, and it's not really an inconvenience to the user. If I was already using an HTTPS for part of the site, why wouldn't I want to use it for the entire site?

    Read the article

  • Best practice for secure socket connection.

    - by LnDCobra
    What is the best practice for a secure socket connection (without SSL). I will be moving sensitive data (logins/passwords/accounts) across TCP Socket connection, and wondering if there is a good/fast way of Encrypting/Decrypting and avoiding malicious injection.

    Read the article

  • Url rewriting : prevent to display xml

    - by Frank
    Edit : I've got an aspx file (default.aspx) that loads a flash file (index.swf), but this swf needs a xml file (foo.xml) to load correctly. However, I would like to block any request aiming directly at the xml file. Is it possible, using a rewritting engine (isapi_rewrite for example) to detect if the xml file is being 'hotlinked' or being loaded by the 'index.swf'(inside default.aspx)? Any ideas? Thank you.

    Read the article

  • Should I convert overly-long UTF-8 strings to their shortest normal form?

    - by Grant McLean
    I've just been reworking my Encoding::FixLatin Perl module to handle overly-long UTF-8 byte sequences and convert them to the shortest normal form. My question is quite simply "is this a bad idea"? A number of sources (including this RFC) suggest that any over-long UTF-8 should be treated as an error and rejected. They caution against "naive implementations" and leave me with the impression that these things are inherently unsafe. Since the whole purpose of my module is to clean up messy data files with mixed encodings and convert them to nice clean utf8, this seems like just one more thing I can clean up so the application layer doesn't have to deal with it. My code does not concern itself with any semantic meaning the resulting characters might have, it simply converts them into a normalised form. Am I missing something. Is there a hidden danger I haven't considered?

    Read the article

  • .NET MVC What is the best way to disable browser caching?

    - by Chameera Dedduwage
    As far as my research goes, there are several steps in order to make sure that browser caching is disabled. These HTTP headers must be set: Cache-Control: no-cache, no-store, must-revalidate, proxy-revalidate Pragma: no-cache, no-store Expires: -1 Last-Modified: -1 I have found out that this can be done in two ways: Way One: use the web.config file <add name="Cache-Control" value="no-store, no-cache, must-revalidate, proxy-revalidate"/> <add name="Pragma" value="no-cache, no-store" /> <add name="Expires" value="-1" /> <add name="Last-Modified" value="-1" /> Way Two: use the meta tags in _Layout.cshtml <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate, proxy-revalidate" /> <meta http-equiv="Pragma" content="no-cache, no-store" /> <meta http-equiv="Expires" content="-1" /> <meta http-equiv="Expires" content="-1" /> My Question: which is the better approach? Or, alternatively, are they equally acceptable? How do these all relate to different platforms? Which browsers would honor what headers? In addition, please feel free to add anything I've missed, if any.

    Read the article

  • Is this a secure way to structure a mysql_query in PHP

    - by Supernovah
    I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox. Inside the php, all variables are passed into the query in a string like this. Note, by this stage, $_POST has not been touched. mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . ')); Is that a secure way to make a change?

    Read the article

  • Rewriting Live TCP/IP (Layer 4) Streams

    - by user213060
    I want to rewrite TCP/IP streams. Ettercap's etterfilter command lets you perform simple live replacements of TCP/IP data based on fixed strings or regexes. Example: if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "gzip")) { replace("gzip", " "); msg("whited out gzip\n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "deflate")) { replace("deflate", " "); msg("whited out deflate\n"); } } http://ettercap.sourceforge.net/forum/viewtopic.php?t=2833 I would like to rewrite streams based on my own filter program instead of just simple string replacements. Anyone have an idea of how to do this? Is there anything other than Ettercap that can do live replacement like this, maybe as a plugin to a VPN software or something? The rewriting should occur at the transport layer (Layer 4) as it does in this example, instead of a lower layer packet-based approach. Thanks!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 195 196 197 198 199 200 201 202 203 204 205 206  | Next Page >