Search Results

Search found 22238 results on 890 pages for 'db security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 200/890 | < Previous Page | 196 197 198 199 200 201 202 203 204 205 206 207  | Next Page >

  • Temporarily impersonate and enable privileges?

    - by Luke
    We maintain a DLL that does a lot of system-related things; traversing the file system, registry, etc. The callers of this DLL may or may not be using impersonation. In order to better support all possible scenarios I'm trying to modify it to be smarter. I'll use the example of deleting a file. Currently we just call DeleteFile(), and if that fails that's the end of that. I've come up with the following: BOOL TryReallyHardToDeleteFile(LPCTSTR lpFileName) { // 1. caller without privilege BOOL bSuccess = DeleteFile(lpFileName); DWORD dwError = GetLastError(); if(!bSuccess && dwError == ERROR_ACCESS_DENIED) { // failed with access denied; try with privilege DWORD dwOldRestorePrivilege = 0; BOOL bHasRestorePrivilege = SetPrivilege(SE_RESTORE_NAME, SE_PRIVILEGE_ENABLED, &dwOldRestorePrivilege); if(bHasRestorePrivilege) { // 2. caller with privilege bSuccess = DeleteFile(lpFileName); dwError = GetLastError(); SetPrivilege(SE_RESTORE_NAME, dwOldRestorePrivilege, NULL); } if(!bSuccess && dwError == ERROR_ACCESS_DENIED) { // failed with access denied; if caller is impersonating then try as process HANDLE hToken = NULL; if(OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_IMPERSONATE, TRUE, &hToken)) { if(RevertToSelf()) { // 3. process without privilege bSuccess = DeleteFile(lpFileName); dwError = GetLastError(); if(!bSuccess && dwError == ERROR_ACCESS_DENIED) { // failed with access denied; try with privilege bHasRestorePrivilege = SetPrivilege(SE_RESTORE_NAME, SE_PRIVILEGE_ENABLED, &dwOldRestorePrivilege); if(bHasRestorePrivilege) { // 4. process with privilege bSuccess = DeleteFile(lpFileName); dwError = GetLastError(); SetPrivilege(SE_RESTORE_NAME, dwOldRestorePrivilege, NULL); } } SetThreadToken(NULL, hToken); } CloseHandle(hToken); hToken = NULL; } } } if(!bSuccess) { SetLastError(dwError); } return bSuccess; } So first it tries as the caller. If that fails with access denied, it temporarily enables privileges in the caller's token and tries again. If that fails with access denied and the caller is impersonating, it temporarily unimpersonates and tries again. If that fails with access denied, it temporarily enables privileges in the process token and tries again. I think this should handle pretty much any situation, but I was wondering if there was a better way to achieve this? There are a lot of operations that we would potentially want to use this method (i.e. pretty much any operation that accesses securable objects).

    Read the article

  • Shared User Session for Multiple ASP.NET Websites

    - by Oliver
    I have been tasked with developing a single Login and Dashboard page that user can login too, the user will then be shown all the systems (we developed) that they have access based to based on some roles stored in our databases. If they logged in we would like that "User Session" (not sure of correct terminology) to be carried to which ever system they are redirected too. To illustrate a very rough overview of what I want to achieve: Is there a way that a user can login in one site, and then carry over that login to the other sites? Help, Advice, Link will be much appreciated. Sorry I am not experienced at ASP.net but have a good understanding of Silverlight, C#, WPF. Thanks in advance.

    Read the article

  • Ruby - encrypted_strings

    - by Tom Andersen
    A bit of a Ruby newbie here - should be an easy question: I want to use the encrypted_strings gem to create a password encrypted string: (from http://rdoc.info/projects/pluginaweek/encrypted_strings) Question is: Everything works fine, but how come I don't need the password to decrypt the string? Say I want to store the string somewhere for a while,like the session. Is the password also stored with it? (which would seem very strange?). And no, I'm not planning on using 'secret-key' or any similar hack as a password. I am planning on dynamically generating a class variable @@password using a uuid, which I don't store other than in memory, and can change from one running of the program to the next. Symmetric: >> password = 'shhhh' => "shhhh" >> crypted_password = password.encrypt(:symmetric, :password => 'secret_key') => "qSg8vOo6QfU=\n" >> crypted_password.class => String >> crypted_password == 'shhhh' => true >> password = crypted_password.decrypt => "shhhh"

    Read the article

  • AES Encryption library

    - by Spines
    Is there a library or something that will allow me to simply call a function that will AES encrypt a byte array? I don't want to deal with multiple update blocks/transformFinal/etc, because there is a possibility I will mess up...

    Read the article

  • Simulating O_NOFOLLOW (2): Is this other approach safe?

    - by Daniel Trebbien
    As a follow-up question to this one, I thought of another approach which builds off of @caf's answer for the case where I want to append to file name and create it if it does not exist. Here is what I came up with: Create a temporary directory with mode 0700 in a system temporary directory on the same filesystem as file name. Create an empty, temporary, regular file (temp_name) in the temporary directory (only serves as placeholder). Open file name for reading only, just to create it if it does not exist. The OS may follow name if it is a symbolic link; I don't care at this point. Make a hard link to name at temp_name (overwriting the placeholder file). If the link call fails, then exit. (Maybe someone has come along and removed the file at name, who knows?) Use lstat on temp_name (now a hard link). If S_ISLNK(lst.st_mode), then exit. open temp_name for writing, append (O_WRONLY | O_APPEND). Write everything out. Close the file descriptor. unlink the hard link. Remove the temporary directory. (All of this, by the way, is for an open source project that I am working on. You can view the source of my implementation of this approach here.) Is this procedure safe against symbolic link attacks? For example, is it possible for a malicious process to ensure that the inode for name represents a regular file for the duration of the lstat check, then make the inode a symbolic link with the temp_name hard link now pointing to the new, symbolic link? I am assuming that a malicious process cannot affect temp_name.

    Read the article

  • Restrict the page to be browsed in the other browser with the same urls

    - by subash
    how to restrict the page to be browsed in the other browser with the same urls with out logging asp.net & c#.net. i followed the following steps for example: i am logging in to a page developed in asp.net & c#.net. i am viewing a page.Let it be admin page. i am copying the url of the admin page. i am opening another browser window and pasting the url. i was able to see the same admin page in the other browser. the question is how to restrict the opening of admin page in other browser,if they try to open admin page in another browser while user is currently viewing the admin page then it should be redirected to the login page? how could this be accomplished? is there any thing could be done with "login" control tool of the .net frame work?

    Read the article

  • Are these two functions overkill for sanitization?

    - by jpjp
    function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary? Also for sanitizing, I use prepared statements to prevent sql injections. I would use it like this: $variable = sanitizeString($_POST['user_input']); $variable = sanitizeMySQL($_POST['user_input']);

    Read the article

  • Prevent change of hidden field

    - by er-v
    What if I have ChangePassword form with hidden ID field of the user. BadPerson knows id of GoodPerson. He opens Change Password form with FireBug, changes his Id to GoodPerson's Id, so password changes for GoodPerson. Of course I can create some server logic that will prevent this, but I think there should be some out of the box solution, wich throws if hidden field been changed, wich I don't know. Thank's in advance.

    Read the article

  • WCF REST based services authentication schemes

    - by FlySwat
    I have a simple authentication scheme for a set of semi-public REST API's we are building: /-----------------------\ | Client POST's ID/Pass | | to an Auth Service | \-----------------------/ [Client] ------------POST----------------------> [Service/Authenticate] | /-------------------------------\ | Service checks credentials | [Client] <---------Session Cookie------- | and generates a session token | | | in a cookie. | | \-------------------------------/ | [Client] -----------GET /w Cookie -------------> [Service/Something] | /----------------------------------\ | Client must pass session cookie | | with each API request | | or will get a 401. | \----------------------------------/ This works well, because the client never needs to do anything except receive a cookie, and then pass it along. For browser applications, this happens automatically by the browser, for non browser applications, it is pretty trivial to save the cookie and send it with each request. However, I have not figured out a good approach for doing the initial handshake from browser applications. For example, if this is all happening using a AJAX technique, what prevents the user from being able to access the ID/Pass the client is using to handshake with the service? It seem's like this is the only stumbling block to this approach and I'm stumped.

    Read the article

  • [Symfony] Login to application with GET/POST token

    - by Henri
    I work on a Symfony web application which has a standard login form. To allow users to login more easily we want to give them a link which logs them in directly. I've already build a way to get a token to use, but I have no clue as to how the Symfony login process works, specifically how I can adapt it to take a GET/POST token instead of redirecting to the login page. Any help appreciated! Oh and this is Symfony 1.2 BTW (and no, upgrading is not an option right now)

    Read the article

  • What's the best way to detect web applications attacks ?

    - by paulgreg
    What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ? I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try well-known bad or malformed URLs. Is there others (and betters) ways to analyze and detect that kind of attack tentative ? Note : I'm speaking about URL based attacks, not attacks on server's component (like database or TCP/IP).

    Read the article

  • GWT RPC - Does it do enough to protect against CSRF ?

    - by sri
    GWT's RPC mechanism does the following things on every HTTP Request - Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base Sets the content-type as text/x-gwt-rpc; charset=utf-8 The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported). Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that effect. Question is : Is this sufficient to prevent CSRF? Is there a way to set custom headers and change content type in a pure cross-site request forgery method?

    Read the article

  • Handling over-long UTF-8 sequences

    - by Grant McLean
    I've just been reworking my Encoding::FixLatin Perl module to handle over-long utf8 byte sequences and convert them to the shortest normal form. My question is quite simply "is this a bad idea"? A number of sources (including this RFC) suggest that any over-long utf8 should be treated as an error and rejected. They caution against "naive implementations" and leave me with the impression that these things are inherently unsafe. Since the whole purpose of my module is to clean up messy data files with mixed encodings and convert them to nice clean utf8, this seems like just one more thing I can clean up so the application layer doesn't have to deal with it. My code does not concern itself with any semantic meaning the resulting characters might have, it simply converts them into a normalised form. Am I missing something. Is there a hidden danger I haven't considered?

    Read the article

  • How to make prevent public key inside jar to be saved using Java code

    - by Abhijith V R
    After signing a jar , we can retrieve the public keys from jar using Certificate[] cert = jarentry.getCertificates(); Once certificate is extracted we can save this to a new keystore as trusted cert. Once this is done , then second user can sign any jar using this certificate , isn't ? I want to distribute content as jars , contents will contain properties files for a application init. I want to make sure that an user is not capable to rebuilding the property files using the certificate he extracted from jarentry. In the code which reads the jar contents i am checking that jar is signed with my certificate only and also checking that jar is not tampered with . But the issue came to my mind that if i am able to extract the cerificate from jar then why don;t a third guy ? Can any one help me in this............

    Read the article

  • How to disable mod_security2 rule (false positive) for one domain on centos 5

    - by nicholas.alipaz
    Hi I have mod_security enabled on a centos5 server and one of the rules is keeping a user from posting some text on a form. The text is legitimate but it has the words 'create' and an html <table> tag later in it so it is causing a false positive. The error I am receiving is below: [Sun Apr 25 20:36:53 2010] [error] [client 76.171.171.xxx] ModSecurity: Access denied with code 500 (phase 2). Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at ARGS:body. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "352"] [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.mysite.com"] [uri "/node/181/edit"] [unique_id "@TaVDEWnlusAABQv9@oAAAAD"] and here is /usr/local/apache/conf/modsec2.user.conf (line 352) #Generic SQL sigs SecRule ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" "id:1,rev:1,severity:2,msg:'Generic SQL injection protection'" The questions I have are: What should I do to "whitelist" or allow this rule to get through? What file do I create and where? How should I alter this rule? Can I set it to only be allowed for the one domain, since it is the only one having the issue on this dedicated server or is there a better way to exclude table tags perhaps? Thanks guys

    Read the article

  • Capture DDE Data that is being streamed in to a software

    - by user534391
    Hello, I have a trading software that gets data from the internet. I want to capture that tick data. There is one software that has been made by a local develop which is able to do that and it looks like it uses DDE (NDde.dll, NetSQL.dll). I want to write a custom application that does the same. Any pointers how I can check how the data is being streamed and how to capture that data. I don't think it is encrypted, since the other developer would not have been able to decrypt either. I just need to scan how the software is getting the data. Thank you.

    Read the article

  • SQL Server authentication - limit access to database to only connect through application

    - by Mauro
    I have a database which users should not be able to alter data in unless they use the specific app. I know best practice is to use windows authentication however that would mean that users could then connect to the database using any other data enabled app and change values which would then not be audited. Unfortunately SQL 2008 with its inbuilt auditing is not available. Any ideas how to ensure that users cannot change anything unless its through the controlling app?

    Read the article

  • java keytool question

    - by user384706
    Hi, I created a java keystore programmatically of type jks (i.e. default type). It is initially empty so I created a DSA certificate. keytool -genkey -alias myCert -v -keystore trivial.keystore How can I see the public and private keys? I.e. is there a command that prints the private key of my certificate? I could only find keytool -certreq which in my understanding prints the certificate as a whole: -----BEGIN NEW CERTIFICATE REQUEST----- MIICaTCCAicCAQAwZTELMAkGA1UEBhMCR1IxDzANBgNVBAgTBkdyZWVjZTEPMA0GA1UEBxMGQXRo BQADLwAwLAIUQZbY/3Qq0G26fsBbWiHMbuVd3VICFE+gwtUauYiRbHh0caAtRj3qRTwl -----END NEW CERTIFICATE REQUEST----- I assume this is the whole certificate. How can I see private (or public key) via keytool? Thank you

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 196 197 198 199 200 201 202 203 204 205 206 207  | Next Page >