Search Results

Search found 37055 results on 1483 pages for 'ms access 1007'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 134/1483 | < Previous Page | 130 131 132 133 134 135 136 137 138 139 140 141  | Next Page >

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • Windows 7 & Sql 2008 - set database access to normal user

    - by simon_
    I use Windows 7 & Sql Server 2008. If I run Management Studio as normal user and try to connect to database 'MyDatabase', I get this error message 'The database MyDatabase is not accessible'. I I run Management Studio per right click 'Run as administrator', then 'MyDatabase' is accessible. Where & what should I set, to be able to access MyDatabase as normal user?

    Read the article

  • 'Access denied' while partitioning on Vista

    - by shinokada
    I went to Disk Management and right-click C drive to shrink. It started the process and after long time passed, 'Access denied' error came out. I tried a couple of times, but all are the same result. Could anyone help me how to partition C drive on Vista please? Thanks in advance.

    Read the article

  • facebook access_token problem

    - by user559711
    Hi, I just wrote a little application(4 page php), everything work fine, however, I have a question that, do I need to create a new instance of facebook (just like $facebook = new facebook.....) in every new php page, or just pass a access token or session? If only pass the access token, how can I use the function $faceook-api('something'); to acheive the data? Because I'm a beginner of php, I have no idea how access token work, please help, thanks a lot! Regards, YK

    Read the article

  • Is it possible to log the first line of the response in apache?

    - by Jeppe Mariager
    Hey, We have an Tomcat server where we're trying to log the HTTP version which the response is sent with. We've seen a few times that it seems to be HTTP/0.9, which kills the content (not supported I guess?). We would like to get some stats on this by using the access log in apache. However, since the header line for this isn't prefixed by anything, we cannot use the %{xxx}o logging. Is there a way to get this? An example: Response is: HTTP/1.1 503 This application is not currently available Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Length: 1090 Date: Wed, 12 May 2010 12:53:16 GMT Connection: close And we'd like the catch HTTP/1.1 (alternatively, HTTP/1.1 503 This application is not currently available. Is this possible? We do not have access to the application being served, so we need to do this either as a Java filter, or in the tomcat access log - Preferably in the access log.

    Read the article

  • Exchange 2010 SP2 Not Allowing Logon for Users with Expired Passwords

    - by JJ.
    When we provision users we set the "User must change password at next logon" flag and instruct them to go to OWA to login for the first time and change their password. Using the registry setting ChangeExpiredPasswordEnabled as explained here: http://technet.microsoft.com/en-us/library/bb684904.aspx worked well prior to SP2 installation. This allows users with 'expired' passwords to logon and forces a password change before they can access OWA. We just installed Exchange 2010 Service Pack 2 and now it's no longer working. Users with this flag set ('expired' passwords) can't login in at all unless we clear the flag. FYI here's the registry key configuration as set now with SP2 installed: Any suggestions as to how I might fix this? Or did MS break this feature in Service Pack 2?

    Read the article

  • Moving to the next line to populate an excel file from VBA

    - by edmon
    I have the below code that takes certain fields from my MS Access (A small Hotel Reservation Database)form and populates defined cells in the said Excel file. Dim objXLApp As Object Dim objXLBook As Object Set objXLApp = CreateObject("Excel.Application") Set objXLBook = objXLApp.Workbooks.Open("Y:\123files\File\Hotel Reservation.xls") objXLApp.Application.Visible = True objXLBook.ActiveSheet.Range("B2") = Me.GuestFirstName & " " & GuestLastName objXLBook.ActiveSheet.Range("C2") = Me.PhoneNumber objXLBook.ActiveSheet.Range("E2") = Me.cboCheckInDate objXLBook.ActiveSheet.Range("F2") = Me.cboCheckOutDate objXLBook.ActiveSheet.Range("H2") = Me.RoomType objXLBook.ActiveSheet.Range("I2") = Me.RoomNumber End Sub How can I keep populating a new Guest to the same Excel file just on the next row?

    Read the article

  • Exchange 2010 OWA - a few questions about using multiple mailboxes

    - by Alexey Smolik
    We have an Exchange 2010 SP2 deployment and we need that our users could access multiple mailboxes in OWA. The problem is that a user (eg John Smith) needs to access not just somebody else's (eg Tom Anderson) mailboxes, but his OWN mailboxes, e.g. in different domains: [email protected], [email protected], [email protected], etc. Of course it is preferable for the user to work with all of his mailboxes from a single window. Such mailboxes can be added as multiple Exchange accounts in Outlook, that works almost fine. But in OWA, there are problems: 1) In the left pane - as I've learned - we can open only Inbox folders from other mailboxes. No way to view all folders like in Outlook? 2) With Send-As permissions set, when trying to send a message from another address, that message is saved in the Sent Items folder of the mailbox that is opened in OWA, and not in the mailbox the message is sent from. The same thing with the trash can. Is there a way to fix that? Also, this problem exists in desktop Outlook when mailboxes are added automatically via the Auto Mapping feature, so that we need to turn it off and add the accounts manually. Is there a simpler workaround? 3) Okay, suppose we only open Inbox folders in the left pane. The problem is that the mailbox names shown there are formed from Display Name attributes. But those names are all identical! All the mailboxes are owned by John Smith, so they should be all named John Smith - so that letter recepient sees "John Smith" in the "from" field, no matter what mailbox it is sent from. Also, the user knows what's his name - no need to tell him. He wants to know what mailbox he works with. So we need a way to either: a) customize OWA to show mailbox email address instead of user Display Name, or b) make Exchange use another attribute to put in the "from" field when sending letters 4) Okay, we can switch between mailboxes using "Open Other Mailbox" in the upper-right corner menu. But: a) To select a mailbox we need to enter its name (or first letters). It there a way to show a list of links to mailboxes the user has full access to? Eg in the page header... b) If we start entering the first letters, we see a popup list with possible mailboxes to be opened. But there are all mailboxes (apparently from GAL), not only mailboxes the user has permission to open! How to filter that popup list? c) The same problem as in (3) with mailbox naming. We can see the opened mailbox email address ONLY in the page URL, which is insufficient for many users. In the left pane we see "John Smith" which is useless. 5) Each mailbox is tied with a separate user in AD. If one has several mailboxes, we need to have additional dummy AD accounts, create additional OUs to store them, etc. That's not very nice, is there any standartized, optimal way to build such a structure? We would really appreciate any answers or additional info for any of these questions. Thank you in advance.

    Read the article

  • Convert OpenXml Excel files to HTML

    - by necrostaz
    Hello. I'm developing printing solution for MS Office 2007, office automation is not good for me, because it requires installed office. Open XML Document Viewer is solution for converting Word files (.docx) to HTML format by XSLT transform, but it works only for .docx. Can you suppose related or similar solutions for Excel spreadsheets files? Thanks.

    Read the article

  • MSDOS "Hello World" EXE

    - by divinci
    Hi all, An open question - but I cant find anywhere to start!! I want to compile a "Hello World" MS-DOS exe. Not a program that runs in 16bit mode, or in MSDos mode on top of Windows OSs. A HELOWRLD.EXE that I can run on my MSDOS box. Thanksyou!

    Read the article

  • Chinese thesaurus

    - by Saubhagya
    Hi, I'm working on a multilingual software where I need to show synonyms of Chinese text to the user. I couldn't find any API that could give synonyms of a given Chinese word. I tried MS-Office proofing tools but they do not support thesaurus for chinese, rather they provide grammar, translation etc. Please suggest some API or workaround to show the synonyms for chinese words.

    Read the article

  • SQL Server 2008 Filestream Impersonation Access Denied error

    - by Adi
    I've been trying to upload a file to the database using SQL SERVER 2008 Filestream and Impersonation technique to save the file in the file system, but i keep getting Access Denied error; even though i've set the permissions for the impersonating user to the Filestream folder(C:\SQLFILESTREAM\Dev_DB). when i debugged the code, i found the server return a unc path(\Server_Name\MSSQLSERVER\v1\Dev_LMDB\dbo\FileData\File_Data\13C39AB1-8B91-4F5A-81A1-940B58504C17), which was not accessible through windows explorer. I've my web application hosted on local maching(Windows 7). SQL Server is located on a remote server(Windows Server 2008 R2). Sql authentication was used to call the stored procedure. Following is the code i've used to do the above operations. SqlCommand sqlCmd = new SqlCommand("AddFile"); sqlCmd.CommandType = CommandType.StoredProcedure; sqlCmd.Parameters.Add("@File_Name", SqlDbType.VarChar, 512).Value = filename; sqlCmd.Parameters.Add("@File_Type", SqlDbType.VarChar, 5).Value = Path.GetExtension(filename); sqlCmd.Parameters.Add("@Username", SqlDbType.VarChar, 20).Value = username; sqlCmd.Parameters.Add("@Output_File_Path", SqlDbType.VarChar, -1).Direction = ParameterDirection.Output; DAManager PDAM = new DAManager(DAManager.getConnectionString()); using (SqlConnection connection = (SqlConnection)PDAM.CreateConnection()) { connection.Open(); SqlTransaction transaction = connection.BeginTransaction(); WindowsImpersonationContext wImpersonationCtx; NetworkSecurity ns = null; try { PDAM.ExecuteNonQuery(sqlCmd, transaction); string filepath = sqlCmd.Parameters["@Output_File_Path"].Value.ToString(); sqlCmd = new SqlCommand("SELECT GET_FILESTREAM_TRANSACTION_CONTEXT()"); sqlCmd.CommandType = CommandType.Text; byte[] Context = (byte[])PDAM.ExecuteScalar(sqlCmd, transaction); byte[] buffer = new byte[4096]; int bytedRead; ns = new NetworkSecurity(); wImpersonationCtx = ns.ImpersonateUser(IMP_Domain, IMP_Username, IMP_Password, LogonType.LOGON32_LOGON_INTERACTIVE, LogonProvider.LOGON32_PROVIDER_DEFAULT); SqlFileStream sfs = new SqlFileStream(filepath, Context, System.IO.FileAccess.Write); while ((bytedRead = inFS.Read(buffer, 0, buffer.Length)) != 0) { sfs.Write(buffer, 0, bytedRead); } sfs.Close(); transaction.Commit(); } catch (Exception ex) { transaction.Rollback(); } finally { sqlCmd.Dispose(); connection.Close(); connection.Dispose(); ns.undoImpersonation(); wImpersonationCtx = null; ns = null; } } Can someone help me with this issue. Reference Exception: Type : System.ComponentModel.Win32Exception, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Message : Access is denied Source : System.Data Help link : NativeErrorCode : 5 ErrorCode : -2147467259 Data : System.Collections.ListDictionaryInternal TargetSite : Void OpenSqlFileStream(System.String, Byte[], System.IO.FileAccess, System.IO.FileOptions, Int64) Stack Trace : at System.Data.SqlTypes.SqlFileStream.OpenSqlFileStream(String path, Byte[] transactionContext, FileAccess access, FileOptions options, Int64 allocationSize) at System.Data.SqlTypes.SqlFileStream..ctor(String path, Byte[] transactionContext, FileAccess access, FileOptions options, Int64 allocationSize) at System.Data.SqlTypes.SqlFileStream..ctor(String path, Byte[] transactionContext, FileAccess access) Thanks

    Read the article

  • MPXJ - get ResourceAssignment baseline values

    - by patmortech
    I'm trying to display the Baseline Start, Finish, Cost, and Work values for a ResourceAssignment, but cannot seem to find any methods on the ResourceAssignment object that would provide this information. Anybody know if this is possible? I know the information is stored because I can see it in MS Project, and I can see it in the XML version of the project file. Just can't see in the API where to get access to it.

    Read the article

  • Help with storing/accessing user access roles C# Winforms

    - by user222453
    Hello, firstly I would like to thank you in advance for any assistance provided. I am new to software development and have designed several Client/Server applications over the last 12 months or so, I am currently working on a project that involves a user logging in to gain access to the application and I am looking at the most efficient and "simple" method of storing the users permissions once logged in to the application which can be used throughout restricting access to certain tabs on the main form. I have created a static class called "User" detailed below: static class User { public static int _userID; public static string _moduleName; public static string _userName; public static object[] UserData(object[] _dataRow) { _userID = (int)_dataRow[0]; _userName = (string)_dataRow[1]; _moduleName = (string)_dataRow[2]; return _moduleName; } } When the user logs in and they have been authenticated, I wish to store the _moduleName objects in memory so I can control which tabs on the main form tab control they can access, for example; if the user has been assigned the following roles in the database: "Sales Ledger", "Purchase Ledger" they can only see the relevant tabs on the form, by way of using a Switch - Case block once the login form is hidden and the main form is instantiated. I can store the userID and userName variables in the main form once it loads by means of say for example: Here we process the login data from the user: DataAccess _dal = new DataAccess(); switch (_dal.ValidateLogin(txtUserName.Text, txtPassword.Text)) { case DataAccess.ValidationCode.ConnectionFailed: MessageBox.Show("Database Server Connection Failed!"); break; case DataAccess.ValidationCode .LoginFailed: MessageBox.Show("Login Failed!"); _dal.RecordLogin(out errMsg, txtUserName.Text, workstationID, false); break; case DataAccess.ValidationCode .LoginSucceeded: frmMain frmMain = new frmMain(); _dal.GetUserPrivList(out errMsg,2); //< here I access my DB and get the user permissions based on the current login. frmMain.Show(); this.Hide(); break; default: break; } private void frmMain_Load(object sender, EventArgs e) { int UserID = User._userID; } That works fine, however the _modules object contains mutiple permissions/roles depending on what has been set in the database, how can I store the multiple values and access them via a Switch-Case block? Thank you again in advance.

    Read the article

  • Getting error on opening excel file from eclipse

    - by Ravisha
    I am getting following error on Cannot create the in-place editor This is probably because there is no OLE editor registered against the type of file you were trying to open. Failed to create Ole Client. result = -2147417851 I have MS office 2007,and the excel file is stored as "save as 2003 version".

    Read the article

  • how to find copyright code???

    - by micheal
    hi all, we were maintaining an MS Access application. Person who actually developed the application used copyrighted code. Now we want to remove that code and re-write that logic. Problem is we dont know what is the copyrighted code and what is not. Is there any way or tool that can be used to scan through the existing code and flag the code that was directly got from internet and used? Thanks in advance.

    Read the article

  • Variable popen calls in C

    - by Bushman
    I'm trying to execute MS-DOS DEL commands inside a Win32 C program, and I already know that system and popen can be used for this. However, the problem is that both require string literals (type const char) for the commands, and I need something like the DOS equivalent of dir ~ | grep -P '/\d{7,8}\.exe$/' | rm, which obviously can't use string literals. Is there some other subprocess function in C that allows for char arrays as arguments for process names?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 130 131 132 133 134 135 136 137 138 139 140 141  | Next Page >