Search Results

Search found 15441 results on 618 pages for 'ssl security'.

Page 73/618 | < Previous Page | 69 70 71 72 73 74 75 76 77 78 79 80  | Next Page >

  • Security implications of writing files using PHP

    - by susmits
    I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so: Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea. Setting write permissions on a single cached directory. A PHP script could then include or fopen/fread/echo the content from a file in the cached directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something like index.php?page=xyz could read and echo content from cached/xyz.html at runtime. However, I'll need to ensure the sanity of $_GET['page'] to prevent nasty variations like index.php?page=http://www.bad-site.org/malicious-script.js. I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?

    Read the article

  • Best Practices / Patterns for Enterprise Protection/Remediation of SSNs (Social Security Numbers)

    - by Erik Neu
    I am interested in hearing about enterprise solutions for SSN handling. (I looked pretty hard for any pre-existing post on SO, including reviewing the terriffic SO automated "Related Questions" list, and did not find anything, so hopefully this is not a repeat.) First, I think it is important to enumerate the reasons systems/databases use SSNs: (note—these are reasons for de facto current state—I understand that many of them are not good reasons) Required for Interaction with External Entities. This is the most valid case—where external entities your system interfaces with require an SSN. This would typically be government, tax and financial. SSN is used to ensure system-wide uniqueness. SSN has become the default foreign key used internally within the enterprise, to perform cross-system joins. SSN is used for user authentication (e.g., log-on) The enterprise solution that seems optimum to me is to create a single SSN repository that is accessed by all applications needing to look up SSN info. This repository substitutes a globally unique, random 9-digit number (ASN) for the true SSN. I see many benefits to this approach. First of all, it is obviously highly backwards-compatible—all your systems "just" have to go through a major, synchronized, one-time data-cleansing exercise, where they replace the real SSN with the alternate ASN. Also, it is centralized, so it minimizes the scope for inspection and compliance. (Obviously, as a negative, it also creates a single point of failure.) This approach would solve issues 2 and 3, without ever requiring lookups to get the real SSN. For issue #1, authorized systems could provide an ASN, and be returned the real SSN. This would of course be done over secure connections, and the requesting systems would never persist the full SSN. Also, if the requesting system only needs the last 4 digits of the SSN, then that is all that would ever be passed. Issue #4 could be handled the same way as issue #1, though obviously the best thing would be to move away from having users supply an SSN for log-on. There are a couple of papers on this: UC Berkely: http://bit.ly/bdZPjQ Oracle Vault: bit.ly/cikbi1

    Read the article

  • Cloud security and privacy

    - by Rakesh K
    Hi, I have a very basic doubt regarding cloud computing that is catching up pretty fast these days. To my understanding, cloud computing is a paradigm in which companies put up their data and applications on somebody else's machines aka 'The Cloud'. I want to know just how secure is it to put up my data on some third party machines, especially if my data contains private details. In particular, how can an enterprise trust the cloud computing service providers in this data privacy aspect? Thanks, rakesh.

    Read the article

  • PHP Form Security With Referer

    - by Jascha
    I'm putting together a site that will make itself available for user input. I was wondering if writing a function like: if(getenv("HTTP_REFERER") != 'http://www.myURL.com/submitArea'){ die('don\'t be an jerk, ruin your own site'); }else{ // continue with form processing } is enough to prevent cross site form submissions.

    Read the article

  • Uploading PDF or .doc and security

    - by Kamo
    I have a script that lets the user upload text files (PDF or doc) to the server, then the plan is to convert them to raw text. But until the file is converted, it's in its raw format, which makes me worried about viruses and all kinds of nasty things. Any ideas what I need to do to minimize the risk of these unknown files. How to check if it's clean, or if it's even the format it claims to be and that it does not crash the server.

    Read the article

  • SSRS 2008 Snapshotting Security

    - by Holy Christ
    Hi, I'm writing a report that will show data based on the User!UserID built into the SSRS infrastructure. The data is sensitive to the user's department. In addition to these department users, there will be admins that should be able to run for all departments, or have a report parameter to run for a specific department. Ideally, I'd like to use SSRS snapshotting so that users can rerun a report they ran on a previous date. It's important that a user can only view the snapshots he created for his department. My questions are: 1.) Does SSRS snapshotting provide a mechanism to limit viewing snapshots by the user that created them? 2.) Will I need to write two reports, one for the admin and one for the department users? I think I do since there isn't a way to secure report parameters. Thanks!

    Read the article

  • Security when using GWT RPC

    - by gerdemb
    I have an POJO in Google Web Toolkit like this that I can retrieve from the server. class Person implements Serializable { String name; Date creationDate; } When the client makes changes, I save it back to the server using the GWT RemoteServiceServlet like this: rpcService.saveObject(myPerson,...) The problem is that the user shouldn't be able to change the creationDate. Since the RPC method is really just a HTTP POST to the server, it would be possible to modify the creationDate by changing the POST request. A simple solution would be to create a series of RPC functions like changeName(String newName), etc., but with a class with many fields would require many methods for each field, and would be inefficient to change many fields at once. I like the simplicity of having a single POJO that I can use on both the server and GWT client, but need a way to do it securely. Any ideas?

    Read the article

  • Security of WCF endpoints

    - by Matt
    For the sake of argument, lets say that I've got a basicHttp WCF service. Besides implementing authentication (login/logout methods), what is stopping someone from just cracking open Visual Studio, adding a web reference to my website's service, and then playing playing around with my service? I'm not familiar with a method of stopping someone from doing this. The idea of someone downloading all of my Data/Operation contracts and then start playing around is keeping me up at night, and I like my sleep!

    Read the article

  • adobe air google app engine session security

    - by iamgopal
    i am creating a ria in adobe air with google app engine based server side. i am using google client login for user login purpose. which is working , but how do i maintain session securely ? ( i.e. from man-in-middle attacks etc ) . what are the best practice in this kind of applications ?

    Read the article

  • ColdFusion Security

    - by Andrew
    What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks) Is cfqueryparam enough?

    Read the article

  • Security concerns for a multi-language site.

    - by The Rook
    I am converting a PHP MySQL web application written for English language into a Multi-Language site. Do you know any vulnerabilities that affect web applications in another language? Or perhaps vulnerabilities that could be introduced in the conversion of code base to support multiple languages. (If you know any vulnerabilities of this type in another language I'll give you a +1)

    Read the article

  • Best approach to create a security environment in Java

    - by Tom Brito
    I need to create a desktop application that will run third party code, and I need to avoid the third party code from export by any way (web, clipboard, file io) informations from the application. Somethig like: public class MyClass { private String protectedData; public void doThirdPartyTask() { String unprotedtedData = unprotect(protectedData); ThirdPartyClass.doTask(unprotectedData); } private String unprotect(String data) { // ... } } class ThirdPartyClass { public static void doTask(String unprotectedData) { // Do task using unprotected data. // Malicious code may try to externalize the data. } } I'm reading about SecurityManager and AccessControler, but I'm still not sure what's the best approach to handle this. What should I read about to do this implementation?

    Read the article

  • Security approach in web application

    - by meep
    Hello everyone. I am designing a web application in ASP.NET / C# where each registered user has the ability to add/modify/delete rows based on their user-id. Take this example: I am going to edit my route on the page /route.aspx?routeid=854 which belongs to me (user-id: 1). But because I am a curious guy I try to access /route.aspx?routeid=855 which belongs to another user (user-id: 2). How can I best avoid people from accessing other peoples data? Should I send each user id (from session) with each database-call, should I validate user/password on every page load or what is the best and most secure approach? I hope I made this clear enough.

    Read the article

  • Ajax security problem

    - by coolboycsaba
    I want to create a browser based game and I have a huge problem, the game can be easily hacked. The problem is at a page where you can go to "work", I store in a file the work ending date and the amount of money what you will receive after finishing the work. There are 4 type of works. The problem is that I use ajax to send to a php file the necessary information. The URL looks like this x.php?date=....&pay=.... The javascript part of the page calculates the date and the pay but if you simply enter in your URL bar x.php?date=anynumber&pay=99999 you will receive that 99999 dollars. What should I do ? And sorry for my bad english :)

    Read the article

  • Solr security question

    - by Camran
    I have a linux server, and I am about to upload a classifieds website to it. The website is php based. That means php code adds/removes classifieds, with the help of the users offcourse. The php-code then adds/removes a classified to a database index called Solr (like MySql). Problem is that anybody can currently access the database, but I only want the website to access the database (solr). Solr is on port 8983 as standard btw. My Q is, if I add a rule in my firewall (iptables), to only allow connections coming from the servers IP to the Solr port nr, would this solve my issue? Thanks

    Read the article

  • HTML5 Web Database Security

    - by Daniel Dimovski
    Should the HTML5 database be used to store any form of private information? Say we have the following scenario; You're browsing a web-mail client, that uses the web database to store mail drafts after you've written some information you close the web browser. What's to stop me from getting access to this information? If the webpage tries to clean out old information when opened a user-script could easily prevent the website from fully loading and then search through the database. Furthermore the names of databases and tables are easily available through the web-mail client's source. W3C Draft

    Read the article

  • Code igniter authentication code in controller security question

    - by Prime Studios
    I have a main controller to handle the very front-end of my authentication system, it handles login, logout, update user info, etc. functions that I anticipate calling by POST'ing from views/forms. What about something like a "delete_user" function though? My thoughts are a button in someones admin panel would say "Delete Account" and it would post to "/auth/delete", and the function would delete the user based on their session username or id. This seems a bit open ended, you could send out a link to someone and when they opened it while in that application it would delete their account.. Whats the best way to handle this?

    Read the article

  • Does this introduce security vulnerabilities?

    - by mcmt
    I don't think I'm missing anything. Then again I'm kind of a newbie. def GET(self, filename): name = urllib.unquote(filename) full = path.abspath(path.join(STATIC_PATH, filename)) #Make sure request is not tricksy and tries to get out of #the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path" return open(full).read()

    Read the article

  • Lisp data security/validation

    - by Wayne Werner
    This is really just a conceptual question for me at this point. In Lisp, programs are data and data are programs. The REPL does exactly that - reads and then evaluates. So how does one go about getting input from the user in a secure way? Obviously it's possible - I mean viaweb - now Yahoo!Stores is pretty secure, so how is it done?

    Read the article

  • Spring security @notation for IS_AUTHENTICATED_FULLY?

    - by wuntee
    I am simply trying to allow a user access to a method if they are authenticated, but nothing I am doing seems to work. Is there a way to just check if the user has been authenticated? The following still denies the user even when authenticated... Is there a built in role for an authenticated user? @RequestMapping("/secure") @PreAuthorize("hasRole('IS_AUTHENTICATED_FULLY')") public String secure(ModelMap map){ return("secure"); }

    Read the article

  • Custom security permission_types in Jetspeed

    - by shikarishambu
    Is it possible to create and manage custom permission types in Jetspeed. In addition to the default - folder, page, link, portlet I would like to add document as a type. I want to then use the list of permissions of type "document" that a principal has to manage access to documents. Thanks

    Read the article

  • Spring security - same page to deliver different content based on user role

    - by Ramesh
    Hello, i tried to search for any previous post related to my issue but couldnt find any. I have a scenario where in page handles 3 different scenarios and one of them not working. This page returns different content depending on if the user is authenticated or anonymous. localhost:8080/myApp/muUrl?test=authenticatedContent - used for Scenario 1 & 2 localhost:8080/myApp/muUrl?test=anonymousContent - used for Scenario 3 Scenario: 1) Authenticated user accesing the page url - the user gets displayed correct information. Works fine 2) Anonymous user accesing page URL with parameters that requires authentication - If anonymous, there is second level of check on the content they are accessing. for example, based on the GET parameters, there is custom logic to determine if the user has to be authenticated. In which case the page gets redirected to login page (WORKS fine). 3) Anonymous user accessing page URL with parameters that doesnt need authentication - in this case i get the SAvedRequest and redirect to the URL which is taking me to an infinite loop. Am i missing something very obvious or is there a way in AuthenticationProcessFilterEntryPoint to say "DON'T redirect to LOGIN page but process it" ? thanks.

    Read the article

  • .NET security: how to check if a method is allowed to execute under current user's perrmissions

    - by Gart
    Given an ASP.NET MVC Controller class declaration: public class ItemController : Controller { public ActionResult Index() { // ... } public ActionResult Details() { // ... } [Authorize(Roles="Admin, Editor")] public ActionResult Edit() { // ... } [Authorized(Roles="Admin")] public ActionResult Delete() { // .. } } I need to reflect a list of methods in this class which may be invoked with the current user's permissions. The [Authorized] attribute is specific to ASP.NET MVC, and this is only an example. I would prefer a universal solution for this problem which works for any .NET class. Please share some ideas of what could be done in this case.

    Read the article

< Previous Page | 69 70 71 72 73 74 75 76 77 78 79 80  | Next Page >