Hi I have ASP.NET 2.0 Domain ie..xyz.com and 2 subdomains 1.xyz.com and 2.xyz.com - all three use the same dbase security via SQL but are written in as separate applications C# and VB. How can I easily manage the login credentials across sites since the authentication will need to occur separately in each web app, I would like to make i...
How can I restrict a user (in the development domain) to allow them to VPN into a domain, yet not use Windows Terminal Services to any server in that domain? I need for them to be able to run a client-side Java application (Quest Spotlight, actually) that will connect using Windows Auth to a single production server and display data comi...
I have a 3-part registration form using PHP: page 1 : collects info - has client & server side validation (for blank and invalid fields) page 2 : collect more info - has server side validation (for blank and invalid fields) page 3 : saves (db) and sends (email) the registration information More info: page 1 : saves all form informati...
I am trying to write a script to prevent brute-force login attempts in a website I'm building. The logic goes something like this: User sends login information. Check if username and password is correct If Yes, let them in. If No, record a failed attempt in the database. Check if there's too many fails within a given timeframe (eg: 5 ...
I want to prevent multiple log in in php application. Firstly, I create login status(active, notactive) in user table. when user A login the user status will be set to 'active', and if the user logout the status will set to 'notactive'. when another client try login using the same user acount, I check the user table. if the user still ...
My deployment script overwrites the media and source directories which means I have to move the uploads directory out of the media directory, and replace it after the upload has been extracted. How can I instruct django to upload to /uploads/ instead of /media/? So far I keep getting django Suspicious Operation errors! :( I suppose an...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service should be used if possible. But still I am not able to understand that if it has powerful access to local resources, how attacker can acce...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long strings of random letters and numbers and hash them? But then the users have to save the password on a paper/txt file in computer. What do y...
Consider the following security problem: I have a static base path (/home/username/) to which I append a user-controlled sub-path (say foo/bar.txt). The content of this file is then read and presented to the user. In the case described the full path would be: /home/username/foo/bar.txt Now to the problem. I want to control so that the...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can't find any indication from the site one way or another. If it does implement counter measures, what kinds of things does it block out. If not, I should probably be more carefu...
Hi all, I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User implements Serializable { protected Date birthDate; public Date getBirthDate() {return(birthDate);} public void se...
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted software under Linux? I have read the work of van Doom et al., Design and implementation of signed executables for Linux, and the IBM's TL...
Assume that an attacker controls the variable $untrusted_user_supplied_path . Is the following Perl code exploitable? my $untrusted_user_supplied_path = ... if ($untrusted_user_supplied_path =~ /\.\./) { die("Tries to escape homedir."); } my $base_path = "/home/username/"; my $full_path = "${base_path}${untrusted_user_supplied_path}";...
Hi i am trying to set up an RSA cryptosystem i have all the values except d selected prime numbers: p=1889, q=2003 n=3783667 phi=3779776 e= 61 i got stuck finding d could anyone help me to figure it out? Setting up an RSA cryptosystem • Two large distinct prime numbers p and q are selected, and n = pq and Φ(n) = (p − 1)(q − 1) are cal...
There was a recent Flash vulnerability found that allows for the potential of malicious attacks when someone uploads a flash file or a file embedded with flash (for example, a gif overloaded). According to the article, even a simple image can be hijacked. In php, the typical ways of checking a file type are by extension, and by mime-ty...
I'm aware of the possibility to mark untrusted objects as tainted, but what's the underlying purpose and why should I do it? ...
I'm developing a Firefox plugin using XPCOM, I've not yet read all the docs, but as far as I can see, A plugin is simply a DLL that provides services via a XPCOM interface and interacts with the browser via XPCOM interfaces. Since the plugin itself is a native DLL, how would the security model work? Would it rely on the fact that the use...
I know that storing such a sensitive data is a bad idea. But if application will ask password every time when it's starts it'll be annoying... I know about OAuth but this is just the same thing - user will be interrupted with browser(or i'm wrong? - this moment is not clear for me). I know about symmetric cryptography. But how to store t...
I'm using the Auth Module in Kohana v 2.3.4. In terms of authenticating users, there's a two step process. The entry point is the function login. It's first task is to retrieve the password stored in the database and retrieve the password and determine the salt value. The salt is supposedly determined by an array of values, each corres...
Hi, I have a query regarding sending secure data over the network in iPhone. What should be used to secure credit-card, bank acct# etc. information which is sent over wireless network. Is there any difference in methods if we use a native-app or a web-app? Are there any direct APIs available for this? Any tutorial will be really he...