Search Results

Search found 21071 results on 843 pages for 'account security'.

Page 174/843 | < Previous Page | 170 171 172 173 174 175 176 177 178 179 180 181  | Next Page >

• Use DLL and have it be as trusted as my own application is

  - by Binary255

  Hi, I am using a port of GNU GetOpts, to be specific I am using the one at: http://getopt.codeplex.com I have added the DLL as a reference. But when I run my application I receive an exception: System.IO.FileLoadException was unhandled Message="Could not load file or assembly 'Gnu.Getopt, Version=0.9.1.24287, Culture=neutral, PublicKeyToken=d014b4ccdc53511a' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)" If it is possible I would like my application to say, "trust this DLL as much as you trust me". Is there a way to do that so I won't have to fiddle with security settings? And if there is not. What is the cleanest way to get the DLL working?

  Read the article

• Is it inmoral to put a captcha on a login form?

  - by azkotoki

  In a recent project I put a captcha test on a login form, in order to stop possible brute force attacks. The inmediate reaction of other coworkers was a request to remove it, saying that it was innapropiate for that purpose, and that it was quite exotic to see a captcha in that place. I've seen captcha images on signup, contact, password recovery forms, etc. So I personally don't see innapropiate to put a captcha also on a place like that. Well, it obviously burns down usability a little bit, but it's a matter of time and getting used to it. With the lack of a captcha test, one would have to put some sort of blacklist / account locking mechanism, which also has some drawbacks. Is it a good choice for you? Am I getting somewhat captcha-aholic and need some sort of group therapy? Thanks in advance.

  Read the article

• How can I monitor if a cookie is being sent to a domain other than the one it originated from?

  - by Brendan Salt

  I am trying to write a program that will verify that all cookies sent out from the machine are in fact going to the domain they came from. This is part of a larger security project to detect cookie based malicious attacks (such as XSS). The main snag for this project is actually detecting the out-going cookies. Can someone point me in the right direction for monitoring out-going HTTP traffic for cookie information? Other information about the project: This is a windows application written in C and numerous scripting languages. Thanks so much for the help.

  Read the article

• Why Shouldn't I Programmatically Submit Username/Password to Facebook/Twitter/Amazon/etc?

  - by viatropos

  I wish there was a central, fully customizable, open source, universal login system that allowed you to login and manage all of your online accounts (maybe there is?)... I just found RPXNow today after starting to build a Sinatra app to login to Google, Facebook, Twitter, Amazon, OpenID, and EventBrite, and it looks like it might save some time. But I keep wondering, not being an authentication guru, why couldn't I just have a sleek login page saying "Enter username and password, and check your login service", and then in the background either scrape the login page from say EventBrite and programmatically submit the form with Mechanize, or use an API if there was one? It would be so much cleaner and such a better user experience if they didn't have to go through popups and redirects and they could use any previously existing accounts. My question is: What are the reasons why I shouldn't do something like that? I don't know much about the serious details of cookies/sessions/security, so if you could be descriptive or point me to some helpful links that would be awesome. Thanks!

  Read the article

• IIS reveals internal IP address in content-location field - fix

  - by saille

  Referring: http://support.microsoft.com/kb/q218180/, there is a known issue in IIS4/5/6 whereby it will reveal the internal IP of a web server in the content-location field of the HTTP header. We have IIS 6. I have tried the fix suggested, but it has not worked. The website is configured to send all requests to ASP.NET, and I am wondering if this is why the fix, which addresses IIS configuration, has not worked for us. If this is the case, how would we fix this in ASP.NET? We need to fix this issue in order to pass a security audit.

  Read the article

• Is there any benefit to encrypting twice using pgp?

  - by ojblass

  I am asking from a "more secure" perspective. I can imagine a scenario with two required private keys needed for decryption scenarios that may make this an attractive model. This is to settle an argument. My vote is that it is not adding any additional security other than having to compromise two different private keys. I think that if it was any more secure than encrypting it one million times would be the best way to secure informaiton and I don't buy it. So I guess my question becomes is a two locking mechanism equivalent to another one locking mechanism with a single key? Update: Forgive me if the answer is obvious but my bread goes dead as I read books on the topic.

  Read the article

• Prevent Method call without Exception using @PreAuthorize Annotation

  - by Chepech

  Hi all. We are using Spring Security 3. We have a custom implementation of PermissionEvaluator that has this complex algorithm to grant or deny access at method level on the application. To do that we add a @PreAuthorize annotation to the method we want to protect (obviously). Everything is fine on that. However the behavior that we are looking for is that if a hasPermission call is denied, the protected method call only needs to be skipped, instead we are getting a 403 error each time that happens. Any ideas how to prevent that? You can find a different explanation of the problem here; AccessDeniedException handling during methodSecurityInterception

  Read the article

• Detecting if a browser is using Private Browsing mode

  - by Steve

  I'm building an extranet for a company paranoid about security. They want to make sure that (among other things) their users are browsing the site with the Private Browsing mode switched on in their web browser so that no cookies or history is kept. I found only this http://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.html and http://serverfault.com/questions/18966/force-safari-to-operate-in-private-mode-and-detect-that-state-from-a-webserver The ideal solution would use no or minimal javascript. Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before? thanks!

  Read the article

• Are there cross-platform tools to write XSS attacks directly to the database?

  - by Joachim Sauer

  I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development). Is anyone aware of a similar tool? Preferably it should be: cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok) open source (I really like being able to audit my security tools) able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)

  Read the article

• Use Tomcat with Java SecurityManager?

  - by pauline

  I'm writing a web application that is supposed to run on Tomcat on Ubuntu. On Ubuntu, Tomcat is per default configured to run with the Java SecurityManager. Besides my own web application, there will only be some well known third party web applications related to my own, like the BIRT report engine. If one of the web applications fails or gets compromised, it may take down all the others without harm, because they all belong together. What I don't wont to happen is that a compromised web app compromises the system itself, like calling rm -r / Do I need to use the java security manager to achieve this? Or is it only necessary to protect one web app from the other? I'd really like to prevent the effort to create .policy files for all the 3rd party web applications I intend to use.

  Read the article

• When do you trust the data / variables

  - by Wizzard

  We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security. But when do you stop, once it's converted into a local variable? eg if (isValidxxx($_GET['foo']) == false) { throw InvalidArgumentException('Please enter a valid foo!'); } $foo = $_GET['foo']; fooProcessor($foo); function fooProcessor($foo) { if (isValidxxx($foo) == false) { throw Invalid...... } //other stuff } To me thats over the top. But what if you load the value from the database... I hope I make sense :)

  Read the article

• 2008 Datacenter Word Automation issue

  - by Brad

  We have an application that uses word automation. It works fine under Windows XP, but does not work on our Windows Server 2008 64-bit virtual machine running on VMware ESX unless it is running as the domain administrator. Under any other account (including a local admin), Word starts, uses a lot of CPU for 40 seconds when opening a document, and then just hangs. Our application does not access anything not on the local machine, and this machine is not being used for anything else (not a domain controller, etc). I know others have posted similar issues, with the solution of creating a Desktop folder somewhere under the windows directory. We did this, and it did not solve the problem (Word did not get as far as it did before we did this though). Please don't turn this into a thread about why I am trying to do this, whether I should do this, or whether I need to. For argument sake, I don't need to do this, but understanding what privilege a local admin does not have that is needed to do this is a legitimate concern.

  Read the article

• What is the sense of permiting the user to use no passwords longer than xx chars?

  - by reox

  Its more like a usability question or maybe database, or even maybe security (consider injection attacks) but what is the sense of permiting the user's password to a be not longer than xx chars? It does not make any sense to me, because longer passwords are mostly considered better and even harder to crack, and some users use password safes, so the password length should not matter. I understand that passwords with more than 20 chars are hardly to remember, but if you use diceware or password safe you dont have any problem with that. I really cant understand why there are sites that say "your password need to be between 5 and 8 chars"... also should the password saved as hash, so the length of the field in the database is fixed, so where is the problem? i think that most of the sites where the password is has to be a fixed length are not even using any hashing method...

  Read the article

• Websphere exception handling

  - by Benjamin

  Hi all, From a security standpoint, what is the best solution to handle application errors with Websphere? I've been thinking of creating a class that is called every time an application error is generated, log the error and display a generic error message to the users. In PHP this can be achieved using the set_exception_handler() function. Is there something similar for websphere that could be configured in the web.xml? I've found codes like this on the internet: <error-page> <error-code>500</error-code> <location>/servlet/ExceptionHandlerServlet</location> </error-page> But that would only work with "500" HTTP error codes. I really want something generic that catches everything. Something like a class that implements a certain interface which can have access to all information about the error. Thanks for your time.

  Read the article

• How To Check If Your Account Passwords Have Been Leaked Online and Protect Yourself From Future Leaks

  - by Chris Hoffman

  Security breaches and password leaks happen constantly on today’s Internet. LinkedIn, Yahoo, Last.fm, eHarmony – the list of compromised websites is long. If you want to know whether your account information was leaked, there are some tools you can use. These leaks often lead to many compromised accounts on other websites. However, you can protect yourself by using unique passwords everywhere – if you do, password leaks won’t be a threat to you. Image Credit: Johan Larsson on Flickr 8 Deadly Commands You Should Never Run on Linux 14 Special Google Searches That Show Instant Answers How To Create a Customized Windows 7 Installation Disc With Integrated Updates

  Read the article

• SForceAPI : unable to find classes listed on API? (Account, Contact, etc)

  - by Firefox

  Hi, API referred : http://www.salesforce.com/us/developer/docs/api/index.htm subsection: reference-standard objects Client side details : partner.wsdl, Axis2 1.5, generated stubs using unpacked option (-u). I was hoping to find some basic objects like Account, Contact, etc (which were listed on above url) so that I can do something like - SObject[] sObjArray = queryResult.getRecords(); for(SObject sObj : sObjArray){ Account acc = [Account] sObj; } [used above approach successfully in another webservice - 'Zuora'] However, I could not find Account class in the generated classes. I guess I am into wrong approach, but atleast I should be finding the classes listed in the reference API. Please help.

  Read the article

• How to make an Asp.net MVC 2 website have a Private Beta Mode.

  - by Mark Kitz

  I am creating an ASP.Net MVC website that I am launching soon in private beta. What I am using. ASP.NET MVC 2 ASP.NET Sql Membership Provider Authorization Attributes on ActionMethods. ex. [EditorsOnly] What I am trying to accomplish: During the private Beta period of my website, I want no anonymous users to access my site. Only Beta Testers of my site should be able to login and use my site as normal. After the private beta period people can access it using the security structure I already have set up. I am hoping I do not have to recompile but can have a setting in the webconfig to switch between Private Beta mode to Normal mode. Thanks for your suggestions.

  Read the article

• Is php fileinfo sufficient to prevent upload of malicious files?

  - by Scarface

  Hey guys, I have searched around a bit, and have not really found a professional type response to how to have secure fileupload capability so I wanted to get the opinion of some of the experts on this site. I am currently allowing upload of mp3s and images, and while I am pretty confident in preventing xss and injection attacks on my site, I am not really familiar with fileupload security. I basically just use php fileinfo and check an array of accepted filetypes against the filetype. For images, there is the getimagesize function and some additional checks. As far as storing them, I just have a folder within my directory, because I want the users to be able to use the files. If anyone could give me some tips I would really appreciate it.

  Read the article

• Detect IE setting: check for newer versions of stored pages "never"

  - by xx

  I understand there isn't a way to interrogate a users IE settings directly due to security reasons, but is there a way to derive this answer with some other mechanism? I would like to stop a user from using my site if the setting "Check for newer versions of stored pages" is set to "Never". Any suggestions? Is there a way I could test for this using javascript? An example of what I am trying to accomplish is this: While it is not possible to check IE settings to see if you are running a popup blocker, that is a way to "test" for a popup blocker via javascript. I am looking for something similiar but for the cache setting, not the popup blocker.

  Read the article

• Secure database connection. DAL .net architecture best practice

  - by Andrew Florko

  We have several applications that are installed in several departments that interact with database via Intranet. Users tend to use weak passwords or store login/password written on a shits of paper where everybody can see them. I'm worried about login/password leakage & want to minimize consequences. Minimizing database-server attack surface by hiding database-server from Intranet access would be a great idea also. I'm thinking about intermediary data access service method-based security. It seems more flexible than table-based or connection-based database-server one. This approach also allows to hide database-server from public Intranet. What kind of .net technologies and best practices would you suggest? Thank in you in advance!

  Read the article

• session is lost after successful login?

  - by sword101

  greetings all um using spring security 3.0.2,all the application pages are secured to see them you must be authenticated um using https protocol i have a strange problem that after successful login and got to the requested page when try to open any link to other pages in the application the session is invalidated or lost or what happened i don't know and the user become anonymous,and redirected to the login page and i got this from debugging: No HttpSession currently exists No SecurityContext was available from the HttpSession: null. A new one will be created. after reviewing the coe many times,nothing in the code is invalidating the session,any ideas why something like this might happen?

  Read the article

• Prevent strings stored in memory from being read by other programs

  - by Roy

  Some programs like ProcessExplorer are able to read strings in memory (for example, my error message written in the code could be displayed easily, even though it is compiled already). Imagine if I have a password string "123456" allocated sequentially in memory. What if hackers are able to get hold of the password typed by the user? Is there anyway to prevent strings from being seen so clearly? Oh yes, also, if I hash the password and sent it from client to server to compare the stored database hash value, won't the hacker be able to store the same hash and replay it to gain access to the user account? Is there anyway to prevent replaying? Thank You!

  Read the article

• Sanitizing CSS in Rails

  - by Erik

  Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while still allowing as much CSS functionality as possible for my users. So my questions if anyone anyone knows of a gem or a plugin to handles this? I've googled my brains out already so any tips would be really appreciated!

  Read the article

• php Form to Email sanitizing

  - by Jacob

  Hi, im using the following to send a contact us type form, iv looked into security and only found that you need to protect the From: bit of the mail function, as ive hardcoded this does that mean the script is spamproof / un-hijackable $tenantname = $_POST['tenan']; $tenancyaddress = $_POST['tenancy']; $alternativename = $_POST['alternativ //and a few more //then striptags on each variable $to = "[email protected]"; $subject = "hardcoded subject here"; $message = "$tenantname etc rest of posted data"; $from = "[email protected]"; $headers = "From: $from"; mail($to,$subject,$message,$headers);

  Read the article

• Is *not* using the asp.net membership provider a bad idea?

  - by EJB

  Is it generally a really bad idea to not use the built-in asp.net membership provider? I've always rolled my own for my asp.net apps (public facing), and really have not had any problems in doing so. It works, and seems to avoid a layer of complexity. My needs are pretty basic: once setup, the user must use email address and password to login, if they forget it, it will be emailed back to them (a new one). After setup there is little that needs to be done to each user account, but I do need to store several extra fields with each user (full name, telephone and a few other fields etc). The number of users that required login credentials are small (usually just the administrator and a few backups), and everyone else uses the site unauthenticated. What are the big advantages that I might be missing out on by skipping the asp.net membership provider functionality?

  Read the article

< Previous Page | 170 171 172 173 174 175 176 177 178 179 180 181  | Next Page >