Hello, I have a number of SSIS packages that are launched by Windows Services. These packages point to any number of different databases, and the connection information is known only by the service at run-time. I know that I can't save connection strings inside the package, but it seems that I can't even pass in a complete "connection...
I’m looking for a mechanism that can be used to distribute Microsoft Office content over the web without using Rights Managements Services whilst minimising the ability for it to be printed or redistributed. I know any solution is always going to be a compromise and never entirely secure but I’d be interested in any mechanisms which incr...
I’ve got an SVN hook written as a .NET console app and running on VisualSVN server which is causing some problems. Every time I try to commit (either remotely with Tortoise or locally via command line) I get the response “Access Denied”. Looking at the event viewer for VisualSVN there is an error beginning with “Could not MERGE resource…...
I've a website that puts info into a mySQL database and a windows service (written in VB.Net) that polls the db and actions what's in there. However, occasionally it stalls and rather than having to RDP into the server, I want superusers to click on a button to restart the service. I can get the button to say, do a directory listing of c...
In standard use of asymmetrical cryptographic system, encryption is done with public key, decryption with private key. Inversing the process, "encryption with private key" is called "signing". Standard tools, despite terminology and lack of direct tools, allows to implement encryption system that would use the private key for encryptio...
As a web developer I am using PHP and I know that I have to worry about security but when you use a framework, there is a lot-of code and design that you relay on but that you didn't code or design and for instance I am using CakePHP. so in this case with frameworks how much should i worry about security ? ...
The vulnerability is documented here. The patch is supposedly a 1-line replace as documented here in line 190 of branches/2.8/wp-login.php - the new patch should look this (check line 118) - my question is - is this patch enough? If not, any suggestions? ...
Hello, I'm trying to intercept WindowsAuthenticationModule to login into application as another user, but I cannot create new WindowsIdentity without knowing his password. The code will run under administrator privilegies, so, is there any way how to get user 'Login token' without his password? ...
Hi, I have created a web application that is hosted on Godaddy on a shared server. I plan on using paypal for my transactions, which creates a problem. At this point the credentials(paypal email and password) are hardcoded, which is as far as I understand the worst solution. The only other option I am aware of is in the web.config file...
What is the least set of privileges required that an account needs to be assigned in order to install a service using sc.exe? With account privileges I mean Local Security Settings in Windows Server 2003. This service needs to be installed as part of a deployment script and is done remotely to said server by issuing something like the ...
I want to find the RSA code in both Javascript and Java code. And they can return the same result in encrypt and decrypt. My purpose is: I can encrypt a message in the user's browser using Javascript (with the public key). After I can decrypt that message in my server (with private key). I found on internet but Javascript and Java retu...
I’m trying to call RemoteCreateDirectories in SharpSVN through a web app and want the credentials to be that of the logged on user. Can this be done implicitly or is the username and password required as per the example below? using (var svnClient = new SvnClient()) { svnClient.Authentication.DefaultCredentials = new NetworkCredentia...
Hi, I would like to know what are the best approaches for protecting apllication and DLL files in situations like this: Example: Deploy the application (software) on the client This software have DLLs - direct injection used in Data Factories (MS SQL, MySQL, other). Wanted Security: Requirement #1 - Main DLL (Core) requires some...
My asp.net app is using Forms Authentication. Running the project from the Visual Studio .NET 2008 has absolutely no problem, but it doesn't work on IIS, after clicking the Login button, the authentication code run with no error, but the Login page kept getting reloaded and reloaded. any ideas? tks in advance, james ...
Hi there, I want to get the fullname from a file on Silverlight OpenFileDialog, when I try that, Silverlight throws me an error. I saw there is an attribute on FullName saying it is [SECURITY CRITICAL], but I need to display the full path, is it really no way I can do that? Please help. Thanks ...
This could be considered a duplicate question, as a similar one has already been asked, but I don't like any of the answers, and security was not addressed. When deploying an ASP.NET MVC app, what's the right way to create roles and a superuser without risks? Two ways come to my mind: using Application_Start or a custom action (better ...
First let me explain how I currently handle validation, say, for an IPv4 address: public struct IPv4Address { private string value; private IPv4Address(string value) { this.value = value; } private static IPv4Address CheckSyntax(string value) { // If everything's fine... return new IPv4Address(v...
If you were to hash a user's password prior to sending it across the line and leaving it in plain-text in memory, would this improve the security of the application? I would assume this mitigates a small fraction of vulnerabilities by protecting the data stored in the clients memory. But really if we're worried about someone reading th...
I need my application to run in FullTrust mode so I added this line to my web/config file: I also modified the .csdef filr to enableNativeCodeExecution. But when I want to run my application (which runs with no problems as a standard Asp.Net web app) I get the following message : "Role isntances did not start within the time allowed. P...
Consider these two data validation scenarios: Check everything everywhere Make sure that every method that takes one or more arguments actually checks them to ensure that they're syntactically valid. Pros Very fine check granularity. If the code that is being written is for some kind of library we make sure to limit the damage that ...