Search Results

Search found 21071 results on 843 pages for 'account security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 194/843 | < Previous Page | 190 191 192 193 194 195 196 197 198 199 200 201  | Next Page >

  • Running shell scripts with sudo through my web app

    - by nfm
    I have some functionality that interfaces with the server's OS in my web application. I've written a bash script and am able to run it from within my app. However, some functionality of the script requires superuser privileges. What is the most sane way to run this script securely? It is being passed arguments from a web form, but should only be able to be called by authenticated users that I trust not to haxxor it.

    Read the article

  • (php) how to properly 'save' info in forms completed thus far

    - by hatorade
    So i have a form that on paper is 40 pages long. I was going to take the natural sections of this form, and make separate html forms for each section, with the idea that on the first page there would be a first form, then you hit 'Continue to next section' which essentially is the 'submit' button, which moves the user to section two, etc, until they hit the last section. i am not actually storing the results of the form in a database, but rather sending an email. the idea then is to store the separate form answers (one html form per section in the real form) as arrays or objects in the session, so that if they go back to a section in the form, it repopulates the values they entered since they are stored in the session. the result would be an array in the session storing the results for each of my forms, and i have one form for each section. my question is: is it secure to temporarily store things like SSNs or driver's license numbers as session variables? why or why not?

    Read the article

  • Pros and Cons of Java HTML to XML cleaners

    - by cjavapro
    I am looking to allow HTML emails (and other HTML uploads) without letting in scripts and stuff. I plan to have a white list of safe tags and attributes as well as a whitelist of CSS tags and value regexes (to prevent automatic return receipt). I asked a question: Parse a badly formatted XML document (like an HTML file) I found there are many many ways to do this. Some systems have built in sanitizers (which I don't care so much about). I will post some answers and say Community Wiki. Please post any other options you like and say Community Wiki so they can be voted on. Also any comments or wiki edits on what part of a certain product is better and what is not would be greatly appreciated. This page is a very nice listing page but I get kinda lost http://java-source.net/open-source/html-parsers

    Read the article

  • Sanitize json input to a java server

    - by morgancodes
    I'm using json to pass data between the browser and a java server. I'm using Json-lib to convert between java objects and json. I'd like to strip out susupicious looking stuff (i.e "doSomethingNasty().) from the user input while converting from json to java. I can imagine several points at which I could do this: I could examine the raw json string and strip out funny-looking stuff I could look for a way to intercept every json value on its way into the java object, and look for funny stuff there. I could traverse my new java objects immediately after reconstitution from json, look for any fields that are Strings, and stripp stuff out there. What's the best approach? Are there any technologies built for this this task that I tack tack on to what I have already?

    Read the article

  • Password reset by email without a database table

    - by jpatokal
    The normal flow for resetting a user's password by mail is this: Generate a random string and store it in a database table Email string to user User clicks on link containing string String is validated against database; if it matches, user's pw is reset However, maintaining a table and expiring old strings etc seems like a bit of an unnecessary hassle. Are there any obvious flaws in this alternative approach? Generate a MD5 hash of the user's existing password Email hash string to user User clicks on link containing string String is validated by hashing existing pw again; if it matches, user's pw is reset Note that the user's password is already stored in a hashed and salted form, and I'm just hashing it once more to get a unique but repeatable string. And yes, there is one obvious "flaw": the reset link thus generated will not expire until the user changes their password (clicks the link). I don't really see why this would be a problem though -- if the mailbox is compromised, the user is screwed anyway.

    Read the article

  • How can one make a web-site accessible only when someone has a dongle?

    - by Brian M. Hunt
    Suppose you want to add an extra layer of credentials on top of a SSL-encrypted login/password, but you don't want to increase complexity to the user. Is there a way to add the requirement of the possession of a dongle to web-server authentication schemes with existing cross-platform browser capabilities? In other words, to get access to the web-site, you would need a username, password, and a USB dongle that has been plugged into the client computer. The dongle would presumably do some sort of challenge/response. It'd be ideal if this dongle solution worked with Firefox automatically or with the simple addition of a plugin. Thoughts and suggestions are appreciated.

    Read the article

  • Implementing password hashing/salting algorithm from crackstation.net

    - by Mason240
    I am trying to implement a password hashing/salting algorithm from crackstation.net, but I am unsure how implement it. Storing the password upon user registration seems to be as simple as passing the password into create_hash(). $password = create_hash($_POST['Password']; I'm not following how to validate upon user login. validate_password($password, $good_hash) returns either true or false, and takes $password as parameter, so it seems like a no brainer except for the second parameter $good_hash. Where does this param come from? It is my understanding that password is turned into a hash value every time its used, and that the hash value is what is stored and compared. So why would I have both the $password and $good_hash values? Quick overview of the functions: function create_hash($password){ calls pbkdf2() } function validate_password($password, $good_hash){ calls pbkdf2() calls slow_equals() } function slow_equals($a, $b){ } function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false){ } Of course a different, better method for this would also be just as helpful. Thank you

    Read the article

  • Which parts of the client certificate to use when uniquely identifying users?

    - by miha
    I'm designing a system where users will be able to register and afterward authenticate with client certificates in addition to username/password authentication. The client certificates will have to be valid certificates issued by a configured list of certificate authorities and will be checked (validated) when presented. In the registration phase, I need to store part(s) of the client certificate in a user repository (DB, LDAP, whatever) so that I can map the user who authenticates with client certificate to an internal "user". One fairly obvious choice would be to use certificate fingerprint; But fingerprint itself is not enough, since collisions may occur (even though they're not probable), so we need to store additional information from the certificate. This SO question is also informative in this regard. RFC 2459 defines (4.1.2.2) that certificate serial number must be unique within a given CA. With all of this combined, I'm thinking of storing certificate serial number and certificate issuer for each registered user. Given that client certificates will be verified and valid, this should uniquely identify each client certificate. That way, even when client certificate is renewed, it would still be valid (serial number stays the same, and so does the issuer). Did I miss something?

    Read the article

  • Should I be worried about a ReDOS attack?

    - by PeeHaa
    Can the following code be use to ReDOS attack my site? Or will it just be ended when the max_execution_time is exceeded or is it a problem of the past? I use the following code to validate emailaddresses on my sites (by Douglas Lovell): function validate_email($email) { $isValid = true; $atIndex = strrpos($email, "@"); if (is_bool($atIndex) && !$atIndex) { $isValid = false; } else { $domain = substr($email, $atIndex+1); $local = substr($email, 0, $atIndex); $localLen = strlen($local); $domainLen = strlen($domain); if ($localLen < 1 || $localLen > 64) { // local part length exceeded $isValid = false; } else if ($domainLen < 1 || $domainLen > 255) { // domain part length exceeded $isValid = false; } else if ($local[0] == '.' || $local[$localLen-1] == '.') { // local part starts or ends with '.' $isValid = false; } else if (preg_match('/\\.\\./', $local)) { // local part has two consecutive dots $isValid = false; } else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain)) { // character not valid in domain part $isValid = false; } else if (preg_match('/\\.\\./', $domain)) { // domain part has two consecutive dots $isValid = false; } else if(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/', str_replace("\\\\","",$local))) { // character not valid in local part unless // local part is quoted if (!preg_match('/^"(\\\\"|[^"])+"$/', str_replace("\\\\","",$local))) { $isValid = false; } } if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A"))) { // domain not found in DNS $isValid = false; } } return $isValid; }

    Read the article

  • UnknownHostException for server java

    - by nilesh
    I am not able to connect to an remote known server through Java code; the exception while connecting is java.net.NoRouteToHostException: No route to host. But strangely, I am able to connect to same server through ssh. Details: Simple Java client when tries to establish connection with Java standalone server, while conneting the exception occurs at following statement: Socket socket = new Socket(ServerIP ServerPort); The port needed is open on server so that externally request can come in. Again the following is returns false InetAddress.getByName(SERVER_IP).isReachable(1000) The Server is running on Fedora, Java 5. FYI: Java cannot resolve DNS address from AIX: UnknownHostException is almost same to my question, but somehow this is not AIX related; moreover I feel the issue to be more of Network or firewall issue. Please guide me.

    Read the article

  • How can I prevent users from overriding the total cost in a shopping cart, when submitted as a hidde

    - by Gobi
    I'm having serious problems with accepting payments. I'm passing the total amount in a hidden field <input type="hidden" name="checkout-flow-support.merchant-checkout-flow-support.shipping-methods.flat-rate-shipping-1.price" value="129.00"/> Some of the users changed this value to 2 using firebug and submitted the form. Instead of getting $129, we only received $2. I have no idea how to proceed this anyone help me quick .

    Read the article

  • ASP.NET MVC Authorize by Subdomain

    - by Jimmo
    I have what seems like a common issue with SaaS applications, but have not seen this question on here anywhere. I am using ASP.NET MVC with Forms Authentication. I have implemented a custom membership provider to handle logic, but have one issue (perhaps the issue is in my mental picture of the system). As with many SaaS apps, customers create accounts and use the app in a way that looks like they are the only ones present (they only see their items, users, etc.). In reality, there are generic controllers and views presenting data depending on the customer represented in the URL. When calling something like the MembershipProvider.ValidateUser, I have access to the user's customer affiliation in the User object - what I don't have is the context of the request to compare whether it is a data request for the same customer as the user. As an example, One company called ABC goes to abc.mysite.com Another company called XYZ goes to xyz.mysite.com When an ABC user calls http://abc.mysite.com/product/edit/12 I have an [Authorize] attribute on the Edit method in the ProductController to make sure he is signed in and has sufficient permission to do so. If that same ABC user tried to access http://xyz.mysite.com/product/edit/12 I would not want to validate him in the context of that call. In the ValidateUser of the MembershipProvider, I have the information about the user, but not about the request. I can tell that the user is from ABC, but I cannot tell that the request is for XYZ at that point in the code. How should I resolve this?

    Read the article

  • Execute binary from memory in C# .net with binary protected from a 3rd party software

    - by NoobTom
    i've the following scenario: i've a C# application.exe i pack application.exe inside TheMida, a software anti-piracy/reverse engineering. i encrypt application.exe with aes256. (i wrote my own aes encryption/decryption and it is working) Now, when i want to execute my application i do the following: decrypt application.exe in memory execute the application.exe with the following code: BinaryReader br = new BinaryReader(decOutput); byte[] bin = br.ReadBytes(Convert.ToInt32(decOutput.Length)); decOutput.Close(); br.Close(); // load the bytes into Assembly Assembly a = Assembly.Load(bin); // search for the Entry Point MethodInfo method = a.EntryPoint; if (method != null) { // create an istance of the Startup form Main method object o = a.CreateInstance(method.Name); // invoke the application starting point method.Invoke(o, null); the application does not execute correctly. Now, the problem i think, is that this method is only to execute .NET executable. Since i packed my application.exe inside TheMida this does not work. Is there a workaround to this situation? Any suggestion? Thank you in advance.

    Read the article

  • Is the Keychain suitable for storing general data, such as strings?

    - by cannyboy
    The Keychain seems to be used a lot for usernames and passwords, but is it a good idea to use it for other sensitive stuff (bank details, ID numbers etc), but with no password? What kind of encryption does the keychain use? The scenario I'm concerned about is a thief acquiring an iPhone (which is screen-locked) and being able to access the file system to get this info. Also, would using the Keychain involve export restrictions due to the use of encryption?

    Read the article

  • Will client JVM for a web service(https) throw an SSL Exception when the server is having a valid ce

    - by ring bearer
    I have a web service deployed on tomcat hosted on a remote server. I have set it up such that it can be accessed only via HTTPS. For this, I generated a Certificate Signing Request (CSR) and used it to get a temporary certificate from VeriSign. My web service client is on my local machine. If I try to access the service it will throw a javax.net.ssl.SSLHandshakeException:unable to find valid certification path to requested target If I install the certificate in to local Java's keystore, the issue will be resolved. My question is if I install a valid SSL certificate from a CA in to my tomcat server, will I get this client-side error even if I do not import the certificate to local key store?

    Read the article

  • Safe executing shell scripts; escaping vars before execution.

    - by Kirzilla
    Hello, Let's imagine that we have a simple php script that should get ssh_host, ssh_username, ssh_port from $_GET array and try to connect using this parameters to SSH. $port = escapeshellcmd($_GET['ssh_port']); $host = escapeshellcmd($_GET['ssh_host']); $username = escapeshellcmd($_GET['ssh_username']); $answer = shell_exec("ssh -p " . $port . " " . $user . "@" . $host); Is escapeshellcmd() enough or I need something more tricky? Or maybe I should use escapeshellarg() in this example? Thank you.

    Read the article

  • Is using os.path.abspath to validate an untrusted filename's location secure?

    - by mcmt
    I don't think I'm missing anything. Then again I'm kind of a newbie. def GET(self, filename): name = urllib.unquote(filename) full = path.abspath(path.join(STATIC_PATH, filename)) #Make sure request is not tricksy and tries to get out of #the directory, e.g. filename = "../.ssh/id_rsa". GET OUTTA HERE assert full[:len(STATIC_PATH)] == STATIC_PATH, "bad path" return open(full).read() Edit: I realize this will return the wrong HTTP error code if the file doesn't exist (at least under web.py). I will fix this.

    Read the article

  • standard encryption decryption across different platforms

    - by Raj
    hey guys i need to implement a standard encryption decryption logic across an entire project platform which has different clients implemented using different platforms as follows: 1) iphone app (objectiv c) 2) website (classic asp) 3) webservice (asp.net) the iphone app as well as the website need to send info to webservice using encrypted query strings the web service then decrypts this and processes the info further wanted to know the simplest way to achieve this. is there some free and ready to use binary available with an easy to use api to achieve this? encryption needs to be as secure as possible thnx in advance

    Read the article

  • Multiple login locations for an online app.

    - by Goro
    Hello, I am working on a browser based application that will have many users. The catch is that every user should have their own customized login page, but the actual application is the same for everyone, and needs to be in a central location. What is the most secure way of doing this? Would it make more sense to have a copy of the application for each user, and keep the database centralized? The projected number of users is not very high, probably around 20-80. Thank you,

    Read the article

  • Can you figure out the password hashing scheme?

    - by Adal
    I have two passwords and two resulting hashes. I can't figure out how the hash is derived from the password. I don't know if salting is used. I don't know if the password is hashed as a integer value or as a string (possibly Unicode). Password: 6770 Hash: c12114b91a3841c143bbeb121693e80b Password: 9591 Hash: 25238d578b6a61c2c54bfe55742984c1 The hash length seems to suggest MD5. Anybody has any ideas what I could try? Note: This is not for hacking purposes. I'm trying to access a service through an API instead of it's desktop client, and I can't figure out how to compute the password hash. Currently instead of using my real password I'm sending directly the hash.

    Read the article

  • Why NOT use POST method here?

    - by Camran
    I have a classifieds website. In the main page (index) I have several form fields which the user may or may not fill in, in order to specify a detailed search of classifieds. Ex: Category: Cars Price from: 3000 Price to: 10000 Color: Red Area: California The forms' action is set to a php page: <form action='query_sql.php' method='post'> In query_sql.php I fetch the variables like this: category=$_POST['category']; etc etc... Then query MySql: $query="SELECT........WHERE category='$category' etc etc.... $results = mysql_query($query); Then I simply display the results of the query to the user by creating a table which is filled in dynamically depending on the results set. However, according to an answer by Col. Shrapnel in my previous Q I shouldn't use POST here: http://stackoverflow.com/questions/3004754/how-to-hide-url-from-users-when-submitting-this-form The reason I use post is simply to hide the "one-page-word-document" long URL in the browsers adress bar. I am very confused, is it okay to use POST or not? It is working fine both when I use GET or POST now... And it is already on a production server... Btw, in the linked question, I wasn't referring to make URL invisible (or hide it) I just wanted it too look better (which I have accomplished with mod_rewrite). UPDATE: If I use GET, then how should I make the url better looking (beautiful)? Check this previous Q out: http://stackoverflow.com/questions/3000524/how-to-make-this-very-long-url-appear-short

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 190 191 192 193 194 195 196 197 198 199 200 201  | Next Page >