Search Results

Search found 120608 results on 4825 pages for 'code access security'.

Page 321/4825 | < Previous Page | 317 318 319 320 321 322 323 324 325 326 327 328  | Next Page >

  • Is it possible to put binary image data into html markup and then get the image displayed as usual i

    - by Joern Akkermann
    It's an important security issue and I'm sure this should be possible. A simple example: You run a community portal. Users are registered and upload their pictures. Your application gives security rules whenever a picture is allowed to be displayed. For example users must be friends on each sides by the system, in order that you can view someone else's uploaded pictures. Here comes the problem: it is possible that someone crawls the image directories of your server. But you want to protect your users from such attacks. If it's possible to put the binary data of an image directly into the HTML markup, you can restrict the user access of your image dirs the user and group your web application runs of and pass the image data to your Apache user and group directly in the HTML. The only possible weakness then is the password of the user that your web app runs as. Is there already a possibility?

    Read the article

  • How to include NetBeans Platform Source code into module dependencies

    - by Ben Hammond
    I am debugging a NetBeans Platform application. I have downloaded the NetBeans Platform source code .zip file. I would really really like to attach the source code to the debugger so that I can seamlessly jump to internal NB source code. Normally I would edit the Library configuration to tell NB where to find the source code, and it would just work. However this is not possible for NetBeans Modules; when I look at the Utilities API module dependency it does not look like a normal NB library and there is nowhere to add in the source code. I suspect that if I were to rebuild my project using Maven this would work automatically. But thats a terrible reason to switch to maven. How can I get the NB Platform Source code included into my Module Dependencies ?

    Read the article

  • Best Pratice to Implement Secure Remember Me

    - by Yan Cheng CHEOK
    Sometimes, I came across certain web development framework which doesn't provide authentication feature as in Authenication ASP.NET I was wondering what is the security measure needs to be considered, when implementing "Remember Me" login feature, by hand coding? Here are the things I usually did. 1) Store the user name in cookie. The user name are not encrypted. 2) Store a secret key in cookie. The secret key is generated using one way function based on user name. The server will verify secret key against user name, to ensure this user name is not being changed. 3) Use HttpOnly in cookie. http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html Any things else I could miss out, which could possible lead a security hole.

    Read the article

  • How to implement a good system for login/out into a webapp

    - by Brandon Wang
    I am one of the developers at PassPad, a secure password generator and username storage system. We're still working on it, but I have a few questions on the best way to implement a secure login/out system. Right now, what we plan on doing is to have the login system save a cookie with the username and a session key, and that's all that serves as authentication. The server verifies the two to match. Upon login/out a new key is created. This is a security-related webapp and while we don't actually store any information that might make the user queasy, because it is security-oriented it makes it a necessity for us to at least appear secure in a way that the user would be happy with. Is there a better way to implement a login/out system in PHP? Preferably it won't take too much coding time or server resources. Is there anything else I need to implement, like brute-force protection, etc? How would I go about that?

    Read the article

  • What are the weaknesses of this user authentication method?

    - by byronh
    I'm developing my own PHP framework. It seems all the security articles I have read use vastly different methods for user authentication than I do so I could use some help in finding security holes. Some information that might be useful before I start. I use mod_rewrite for my MVC url's. Passwords are sha1 and md5 encrypted with 24 character salt unique to each user. mysql_real_escape_string and/or variable typecasting on everything going in, and htmlspecialchars on everything coming out. Step-by step process: Top of every page: session_start(); session_regenerate_id(); If user logs in via login form, generate new random token to put in user's MySQL row. Hash is generated based on user's salt (from when they first registered) and the new token. Store the hash and plaintext username in session variables, and duplicate in cookies if 'Remember me' is checked. On every page, check for cookies. If cookies set, copy their values into session variables. Then compare $_SESSION['name'] and $_SESSION['hash'] against MySQL database. Destroy all cookies and session variables if they don't match so they have to log in again. If login is valid, some of the user's information from the MySQL database is stored in an array for easy access. So far, I've assumed that this array is clean so when limiting user access I refer to user.rank and deny access if it's below what's required for that page. I've tried to test all the common attacks like XSS and CSRF, but maybe I'm just not good enough at hacking my own site! My system seems way too simple for it to actually be secure (the security code is only 100 lines long). What am I missing? I've also spent alot of time searching for the vulnerabilities with mysql_real_escape string but I haven't found any information that is up-to-date (everything is from several years ago at least and has apparently been fixed). All I know is that the problem was something to do with encoding. If that problem still exists today, how can I avoid it? Any help will be much appreciated.

    Read the article

  • How do API Keys and Secret Keys work?

    - by viatropos
    I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Access Key and Secret Access Key, both of which require me to login to access. So I'm wondering, if they're asking me for my secret key, they must be storing it somewhere right? Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database? How are secret keys and api keys supposed to work? How secret do they need to be? Are these applications that use the secret keys storing it somehow? Thanks for the insight.

    Read the article

  • Using WCF HttpBindings on a LAN

    - by dcw
    We have a WCF-based client server that operates over a LAN. We've been getting along ok by using the NetTcpBinding, chosen because we couldn't get either HttpBinding to work between hosts. (Within a single host works fine, but is not useful for the production environment.) We're now back at the point where we want to explore using either BasicHttpBinding or WsHttpBinding, but we simply can't see the server from the client: even putting in the path to the endpoint into IE fails to see the server. Is there something simple we've overlooked? We're not specifying any security settings (or anything else, for that matter). Should we be doing so (e.g. explicitly setting security settings to None)?

    Read the article

  • Tracking EXC_BAD_ACCESS on iPad

    - by Aleks
    I've been using this code to create my UIWindow UIMyWindow* win = [[UIMyWindow alloc] initWithFrame:[[UIScreen mainScreen] applicationFrame]]; UIMyWindow isn't anything special it just has a pointer to a C++ class that does some wrapping of ObjectiveC. Recently my application start crashing after adding some line of code that doesn't have to do anything with the error. The line of code that I added is just allocating a C++ object but the program execution never reaches this line. Interesting enough my code works in Release. My only guess is that I made some memory corruption on a completely different place. My questions are: What type of memory corruption that can be? And is there some good practices to track them down?

    Read the article

  • Is it safe to read regular expressions from a file?

    - by Zilk
    Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There won't be any substitution, only matching. As an aside, is there a way to test if the specified regex is valid before actually using it? I'd like to issue warnings if something like /foo (bar/ was entered. Thanks, Z. EDIT: Thanks for the very interesting answers. I've since found out that the following dangerous constructs will only be evaluated in regexes if the use re 'eval' pragma is used: (?{code}) (??{code}) ${code} @{code} The default is no re 'eval'; so unless I'm missing something, it should be safe to read regular expressions from a file, with the only check being the eval/catch posted by Axeman. At least I haven't been able to hide anything evil in them in my tests. Thanks again. Z.

    Read the article

  • How to secure authiorization of methods

    - by Kurresmack
    I am building a web site in C# using MVC.Net How can I secure that no unauthorized persons can access my methods? What I mean is that I want to make sure that only admins can create articles on my page. If I put this logic in the method actually adding this to the database, wouldn't I have business logic in my data layer? Is it a good practise to have a seperate security layer that is always in between of the data layer and the business layer to make? The problem is that if I protect at a higher level I will have to have checks on many places and it is more likely that I miss one place and users can bypass security. Thanks!

    Read the article

  • How can I setup a svn subdomain so I can checkin/out without using svn+ssh?

    - by Martin
    I have a svn repository on my hosting account at ~/repository/. At the moment I have to create ssh keys to my server for users to checkin/out from the repository using a command like "svn+ssh://domain.com/project1/trunk". This is fine when there were 2 of us using the repository but now I have other people that might be doing work on the server that I cannot fully trust, hence I cannot give them ssh keys as then they will have access to my entire server. I would like to setup access to my svn repository via a subdomain e.g. svn.domain.com, so that users can checkin/out from this location using a command like: "svn co http://svn.domain.com/project1/trunk" - without using ssh. Can this be done and how? This should also help me solve my other issue of managing which users have access to which svn projects. Thanks for any help in advance!

    Read the article

  • Dealing with passwords securely

    - by Krt_Malta
    Hi I have a Java web service and a Java web client making use of this service. One of the functions is to create a new user account. My two concerns are: How will I send the user's password securely from the client. How will I store the user's password securely on the server. How can I achieve these? I know the theory basically behind security, security algorithms etc but can anyone give me some advice on how I should go about in coding? Could anyone point me to some good (and if possible not complicated) examples to follow since I found some examples on the Internet very contorted? Thanks a lot and regards, Krt_Malta

    Read the article

  • How to protect HtmlHelper code in MVC controls

    - by Oats
    I am writing a custom mvc control (commercial), and all of the control's code lives in the custom htmlhelper code that i will have to distribute to the user. I am ok with this for my commercial license sale, but for evaluating the controls, if i give out the htmlhelper code locally for my potential customers to evaluate, the user can simply "get" all the code and hence he may never buy it since he's got teh control code. How do i protect my htmlhelper code while somebody is evaluation my cusotm mvc controls? Is this a general problem or (I wish) i am missing something here? Thanks.

    Read the article

  • Is it possible for a XSS attack to obtain HttpOnly cookies?

    - by Dan Herbert
    Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS. Aside from the fact that not all browser support this feature properly, how could a hacker obtain a user's cookies if they are HttpOnly? I can't think of any way to make an HttpOnly cookie send itself to another site or be read by script, so it seems like this is a safe security feature, but I'm always amazed at how easily some people can work around many security layers. In the environment I work in, we use IE exclusively so other browsers aren't a concern. I'm looking specifically for other ways that this could become an issue that don't rely on browser specific flaws.

    Read the article

  • Write a dll that is accessable from VS 2003 VC++ code

    - by John
    I need to be able to write a DLL in either C# or VC++ that is accessible from code that is written in Visual Studio 2003 VC++. It looks like the code is unmanaged (uses * for pointers) VC++ and this DLL needs to be able to drop right in and be accessed by the current code. The DLL is an RS232 driver that needs to be able to return an int for an error code and pass back, by reference, some measured values, to the calling program. Will I even be able to write this in C#? If not, I only have access to Visual Studio 2005 or 2008. Will I be able to write my code in either, and will that DLL be able to be called from the current code base? Or do I have to go looking on ebay for a copy of VS 2003?

    Read the article

  • Web.xml: Are url-pattern tags relative to each other?

    - by sixtyfootersdude
    <servlet-mapping> <servlet-name>myName</servlet-name> <url-pattern>/aName</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> ... <url-pattern> /* </url-pattern> </web-resource-collection> ... </security-constraint> This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern in web-resource-collection is relative to the url-pattern in servlet-mapping.

    Read the article

  • Trouble compiling some decompiled C# code

    - by Colin O'Dell
    I was decompiling an open-source project (because the source for the latest version hasn't been released yet). Using RedGate's Reflector tool, it gave me this block of code: if(somecondition == true) { ref Vector3i vectoriRef; float num17 = length - num; Vector3i end = vectori3; (vectoriRef = (Vector3i) &end)[1] = vectoriRef[1] - ((int) num17); } somecondition is a boolean. length and num are floats defined outside the code. vectori3 is also defined outside the code and is of type Vector3i. The type Vector3i is essentially this code, but with x, y, and z stored as integers. When I try to compile this decompiled code, I get the following errors: Line 2: Only assignment, call, increment, decrement, and new object expressions can be used as a statement Line 3: ; expected Line 3: Invalid expression term 'ref' Line 6: 'Vector3i' is a 'type' but is used like a 'variable' Any thoughts on how I can fix this code so it compiles correctly and does whatever it was intended to do?

    Read the article

  • It's easy to set a breakpoint when debugging VBA, but how about a "startpoint" or a "skippoint"?

    - by PowerUser
    I'm debugging a subroutine in my VBA code. I want to ignore the first half and just run the second half. So, is there a way to set a 'startpoint'? Also, is there an easy way to ignore a specific line of code other than commenting? If not, I'll just continue commenting out all the code I don't want run. The problem with this, of course, is that I have to remember to uncomment the critical code before I send it on to Production.

    Read the article

  • What are the alternatives for Java authentication?

    - by Crusader
    Preferably something that integrates well with a Flex front end. Yes the Spring Security guys say this is possible, but all examples seem to use legacy jsp tag libraries making them half useless as examples. I don't want to spend a month setting up and learning how to use a security tool. I would like a tool which supports using annotations (@RolesAllowed etc), MINIMAL XML, and 'remember-me' features (not cookie based). Apache Shiro seems to support Flex/Silverlight/Swing as well but I'd like to know if there are any other alternatives that are NOT container specific.

    Read the article

  • How can I allow only privledged users to download a pdf with php?

    - by ThinkingInBits
    Lets say I have some pdf files stored on my server and I only want to allow a person who's paid have access to download a particular pdf. So for an example, let's say I have a bunch of e-books. The only way a user would be able to download e-book A is if his account contains the right credentials for that particular book. What's the best way to accomplish this? Any ideas/advice on how to improve my idea are greatly appreciated! My current idea: A user places an order Upon success, a new folder would be created by their /account_num/order_id/ A copy of the particular file would be stored in this directory Have php generate an .htaccess that would only allow access from a url that contains a random hash embedded into it. The only way a user would be able to access this random hashed page is if they are signed in as the right user, and the hash matches up with the hash stored in the database, otherwise they are redirected to home page.

    Read the article

  • Uploading a Website

    - by 01010011
    Hi, This is my first time building a website and using CodeIgniter for a school project. I was wondering whether you have any tips on uploading CI to a free web host , my database, free webhosting and basic security tips. Can I just upload the entire CI folder? Or do I have to upload individual files (God no!)? What are my options? What about my MySQL database - do I just upload my mysqldump to the webhost? Also, can you recommend a good free webhost. I was thinking about 000webhost. Any basic tips on security would also be appreciated (I've implemented many of the form_validation rules like xss_clean for starters) Any other suggestions will be more than welcome. Thanks!

    Read the article

  • Web.xml: Are url-pattern tags relitive to each other?

    - by sixtyfootersdude
    <servlet-mapping> <servlet-name>myName</servlet-name> <url-pattern>/aName</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> ... <url-pattern> /* </url-pattern> </web-resource-collection> ... </security-constraint> This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern in web-resource-collection is relative to the url-pattern in servlet-mapping.

    Read the article

< Previous Page | 317 318 319 320 321 322 323 324 325 326 327 328  | Next Page >