Search Results

Search found 16163 results on 647 pages for 'advanced security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 180/647 | < Previous Page | 176 177 178 179 180 181 182 183 184 185 186 187  | Next Page >

  • Is it safe to read regular expressions from a file?

    - by Zilk
    Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There won't be any substitution, only matching. As an aside, is there a way to test if the specified regex is valid before actually using it? I'd like to issue warnings if something like /foo (bar/ was entered. Thanks, Z. EDIT: Thanks for the very interesting answers. I've since found out that the following dangerous constructs will only be evaluated in regexes if the use re 'eval' pragma is used: (?{code}) (??{code}) ${code} @{code} The default is no re 'eval'; so unless I'm missing something, it should be safe to read regular expressions from a file, with the only check being the eval/catch posted by Axeman. At least I haven't been able to hide anything evil in them in my tests. Thanks again. Z.

    Read the article

  • CSRF protecting and cross site form access

    - by fl00r
    Hi. I aw working on cross site authentication (some domains have got common authentication). So I want to send authentication data (login, password) to main domain from others. How should I use protect_from_forgery and how can I check if data received from valid domain? What I am thinking now is to turn off protect_from_forgery for session controller and check domain name of received data. But maybe I can configure CSRF protection for not only one domain?

    Read the article

  • How can I create and use a web service in public but still restrict its use to only my app?

    - by Glenn
    I'm creating a web service with create/update/delete calls. But for now I'd like to restrict use of it on my own web app and no other clients. How can I have clear text javascript code that makes these calls but still be confident the credentials won't be used elsewhere? My idea is to use server side generated nonces for each request. But I am open to different ideas you guys may have. Thanks.

    Read the article

  • Should I convert overlong UTF-8 strings to their shortest normal form?

    - by Grant McLean
    I've just been reworking my Encoding::FixLatin Perl module to handle overlong UTF-8 byte sequences and convert them to the shortest normal form. My question is quite simply "is this a bad idea"? A number of sources (including this RFC) suggest that any over-long UTF-8 should be treated as an error and rejected. They caution against "naive implementations" and leave me with the impression that these things are inherently unsafe. Since the whole purpose of my module is to clean up messy data files with mixed encodings and convert them to nice clean utf8, this seems like just one more thing I can clean up so the application layer doesn't have to deal with it. My code does not concern itself with any semantic meaning the resulting characters might have, it simply converts them into a normalised form. Am I missing something. Is there a hidden danger I haven't considered?

    Read the article

  • is it safe to call "plink.exe" in an application

    - by EBAGHAKI
    i want to use "plink.exe -u username -pw securepassword" on my windows visual c++ program. will username and password remain safe while calling this command? I mean can a hacker steal or sniff the username and password? (consider hacker can't get to the password directly from the exe file)

    Read the article

  • SSL Authentication with Certificates: Should the Certificates have a hostname?

    - by sixtyfootersdude
    Summary JBoss allows clients and servers to authenticate using certificates and ssl. One thing that seems strange is that you are not required to give your hostname on the certificate. I think that this means if Server B is in your truststore, Sever B can pretend to be any server that they want. (And likewise: if Client B is in your truststore...) Am I missing something here? Authentication Steps (Summary of Wikipeida Page) Client Server ================================================================================================= 1) Client sends Client Hello ENCRIPTION: None - highest TLS protocol supported - random number - list of cipher suites - compression methods 2) Sever Hello ENCRIPTION: None - highest TLS protocol supported - random number - choosen cipher suite - choosen compression method 3) Certificate Message ENCRIPTION: None - 4) ServerHelloDone ENCRIPTION: None 5) Certificate Message ENCRIPTION: None 6) ClientKeyExchange Message ENCRIPTION: server's public key => only server can read => if sever can read this he must own the certificate - may contain a PreMasterSecerate, public key or nothing (depends on cipher) 7) CertificateVerify Message ENCRIPTION: clients private key - purpose is to prove to the server that client owns the cert 8) BOTH CLIENT AND SERVER: - use random numbers and PreMasterSecret to compute a common secerate 9) Finished message - contains a has and MAC over previous handshakes (to ensure that those unincripted messages did not get broken) 10) Finished message - samething Sever Knows The client has the public key for the sent certificate (step 7) The client's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the server's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Client Knows The server has the public key for the sent certificate (step 6 with step 8) The server's certificate is valid because either: it has been signed by a CA (verisign) it has been self-signed BUT it is in the client's truststore It is not a replay attack because presumably the random number (step 1 or 2) is sent with each message Potential Problem Suppose the client's truststore has certs in it: Server A Server B (malicous) Server A has hostname www.A.com Server B has hostname www.B.com Suppose: The client tries to connect to Server A but Server B launches a man in the middle attack. Since server B: has a public key for the certificate that will be sent to the client has a "valid certificate" (a cert in the truststore) And since: certificates do not have a hostname feild in them It seems like Server B can pretend to be Server A easily. Is there something that I am missing?

    Read the article

  • Too much data for RSA block fail. What is PKCS#7?

    - by Tom Brito
    Talking about javax.crypto.Cipher; I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC"); but I got the exception: ArrayIndexOutOfBoundsException: too much data for RSA block Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here. I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed on sun's standard algorithm names?

    Read the article

  • What's the best, Escape then store Or store then escape the output?

    - by Axel
    Hi, After doing a long search on stackoverflow i didn't find any one talked about this even if it's a big choice, the Question is what's the best in order to prevent both of XSS and SQL injection, Escaping the data then store it in the DB or Store it as it is and escape when output it? Note: it is better if you give some examples of practics if possible. Thanks

    Read the article

  • Should I Use Anchor, Button Or Form Submit For "Follow" Feature In Rails

    - by James
    I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github. In terms of markup, I have determined that there are three ways to do this. 1) Use a regular anchor. (Github Uses This Method) <a href="/users/follow?target=Joe">Follow</a> 2) Use a button. (Twitter Uses This Method) <button href="/friendships/create/">Follow</button> 3) Use a form with a submit button. (Has some advantages for me, but I haven't see anyone do it yet.) <form method="post" id="connection_new" class="connection_new" action="/users/follow"> <input type="hidden" value="60d7b563355243796dd8496e17d36329" name="target" id="target"> <input type="submit" value="Follow" name="commit" id="connection_submit"> </form> Since I want to store the user_id in the database and not the username, options 1 and 2 will force me to do a database query to get the actual user_id, whereas option 3 will allow me to store the user_id in a hidden form field so that I don't have to do any database lookups. I can just get the id from the params hash on form submission. I have successfully got each of these methods working, but I would like to know what is the best way to do this. Which way is more semantic, secure, better for spiders, etc...? Is there a reason both twitter and github don't use forms to do this? Any guidance would be appreciated. I am leaning towards using the form method since then I don't have to query the db to get the id of the user, but I am worried that there must be a reason the big guys are just using anchors or buttons for this. I am a newb so go easy on me if I am totally missing something. Thanks!

    Read the article

  • SimpleMembership updating the "isconfirmed" flag

    - by Vijay V
    My Users table (the one that I created) has the following columns: UserId,UserName,FirstName,LastName,DOB After I ran this command WebSecurity.InitializeDatabaseConnection("DefaultConnection", "Users", "UserId", "UserName", autoCreateTables: true); it created the required simple membership tables for me. How would I go about "UnConfirming" an user or setting the "IsConfirmed" flag to false in the webpages_Membership using the new SimpleMembership API? (Earlier, before going to simplemembership using the "Membership" class I could update an user using the api call : Membership.UpdateUser( user );)

    Read the article

  • Attack from anonymous proxy

    - by mmgn
    We got attacked by some very-bored teenagers registering in our forums and posting very explicit material using anonymous proxy websites, like http://proxify.com/ Is there a way to check the registration IP against a black list database? Has anyone experienced this and had success?

    Read the article

  • c# Sending emails with authentication. standard approach not working

    - by Ready Cent
    I am trying to send an email using the following very standard code. However, I get the error that follow... MailMessage message = new MailMessage(); message.Sender = new MailAddress("[email protected]"); message.To.Add("[email protected]"); message.Subject = "test subject"; message.Body = "test body"; SmtpClient client = new SmtpClient(); client.Host = "mail.myhost.com"; //client.Port = 587; NetworkCredential cred = new NetworkCredential(); cred.UserName = "[email protected]"; cred.Password = "correct password"; cred.Domain = "mail.myhost.com"; client.Credentials = cred; client.UseDefaultCredentials = false; client.Send(message); Mailbox unavailable. The server response was: No such user here. This recipient email address definitely works. To make this account work I had to do some special steps in outlook. Specifically, I had to do change account settings - more settings - outgoing server - my outgoing server requires authentication & use same settings. I am wondering if there is some other strategy. I think the key here is that my host is Server Intellect and I know that some people on here use them so hopefully someone else has been able to get through this. I did talk to support but they said with coding issues I am on my own :o

    Read the article

  • mysqli_stmt_bind_param SQL Injection

    - by profitphp
    Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param? For example: $malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input); Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql: SET @username = "bob"; drop table users"; Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

    Read the article

  • Self-signed ceritificates for many users/browsers/sites

    - by Demiurg
    Here is my problem - I have a lot of users using different browsers accessing many internal web sites using https. I can create my own Certificate Authority, than create a certificate for each server and after that have all the users import it. Obviously, it cannot work in reality - there are too many users and too many sites, and some sites will be added in the future. I'm looking for a way to automate this. Is there a way to create a certificate so that all major browsers (IE, FF, Opera, Chrome and Safari) would trust it for all servers ? If so, what is the best way to install it automatically in all major browsers ?

    Read the article

  • Prevent strings stored in memory from being read by other programs

    - by Roy
    Some programs like ProcessExplorer are able to read strings in memory (for example, my error message written in the code could be displayed easily, even though it is compiled already). Imagine if I have a password string "123456" allocated sequentially in memory. What if hackers are able to get hold of the password typed by the user? Is there anyway to prevent strings from being seen so clearly? Oh yes, also, if I hash the password and sent it from client to server to compare the stored database hash value, won't the hacker be able to store the same hash and replay it to gain access to the user account? Is there anyway to prevent replaying? Thank You!

    Read the article

  • How necessary is using PHP filters?

    - by Jamie
    I'm a relatively newbie to PHP and just making my way through the W3Schools tut. The tut makes a big point of saying you must always filter external data (i.e. cookies, form data etc). I'm writing a fairly simple system that talks with a third party Joomla extension. It's at a prototype stage where I'm just wanting to demonstrate the functionality in a minimum viable product. Basically, I'd like to know... what's the worst that could happen in I don't filter content. Are we talking 'I might get a bunch of spam', or 'a good hacker could get root server access'? Have hunted around online, but would love any of your experience / insight on the matter!

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 176 177 178 179 180 181 182 183 184 185 186 187  | Next Page >