We are using Uploadify to upload images with our website. Currently when I click on Add photo,browse to my photo and select it. The uploadify status bar turns red and throws a message that says: whatever.jpg (size 65.36KB) - Security Error I have looked at the Apache logs and do not see any errors being thrown. We have reviewed all ...
I want to write a function that allows users to match data based on a regexp, but I am concerned about sanitation of the user strings. I know with SQL queries you can use bind variables to avoid SQL injection attacks, but I am not sure if there's such a mechanism for regexps. I see that there's Regexp.escape, but I want to allow valid re...
Running permcalc on my assembly and its dependencies gives me the following for many methods: <Method Sig="instance class MembershipUser GetUser(string , bool )"> <Demand> <PermissionSet version="1" class="System.Security.PermissionSet" Unrestricted="true" /> </Demand> </Method> Most of the methods are, like the example ab...
I'm currently building an app that renders RSS and ATOM Feeds on the client side. I can't directly send an ajax request to "http://stackoverflow.com/feeds/tag/php", but I can send a request to my server that just echos the XML File like: <?php echo file_get_contents('http://stackoverflow.com/feeds/tag/php'); ?> What are the security i...
I have application domain to host untrusted code/assembly. I solved all problems with security with security attributes and it works well. The untrusted code runs on dedicated thread. CLR is 2.0. This is what I have AppDomainShell AppDomainSeed, Shell is running in main domain, seed is trusted proxy/helper in untrusted domain. I'm inter...
If I have just encrypted some plain-text into cipher-text with CBC and Rijndael, is it insecure to tell the world that the original plain-text had a length of x bytes? It seems that it's always the same as the length of the cipher-text, so, I think it does not matter, but are there some block modes or ciphers where it does matter? ...
I thought that one processes cannot read the memory of another process. But I'm shocked to see an application named "WinHex" which has "Ram Editor" and it is able to access entire memory. of all the processes. How is that possible? And it is even able to modify the memory of other processes. Doesn't this become malicious? ...
Is it possible to restrict access to a server so that only iPhone devices can use it? I have no experience in setting up servers or the like before. I am still very fresh to programming. Thanks. ...
I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET. My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete use...
Hi In my asp.net website, i would like to implement forget password. I am using following steps Form having input box for login Id and email Id and CAPTCHA when user enter details and submit, at backend after validation new password is generated and replaced old password at database. New passowrd is send to user at email. Please hel...
I need to authenticate securely to a third party site for a SSL REST api call. I have the API call part working but I want to save the third party credentials in my app engine datastore, or maybe somewhere else? I have no idea how im supposed to do this. The SSL call looks like: credentials = base64.encodestring('%s:%s' % (username, pa...
I don't want my WPF application to run in Fulltrust but it's impossible to run WPF in a partial trust AppDomain (i tried even with WPF hosting/interop) and WPF Browser Application does not fit my needs, so my question is: is there a way to change the SecurityZone of the current AppDomain at runtime after WPF has created the Window and ...
Im currently developing an API, and one thing that I decided was to have one gateway.cfm page that the client sends the request to with a sig for verification and etc, and the gateway processes the request and sends the result back by invoking the components needed. For example gateway.cfm?component=getBooks&sig=232345343 will call th...
I want to detect multi accounts in a browser game: If a user has more than one account, I want to know this. For various reasons, I don't want to detect the multi accounts by comparing IPs anymore. Users can share IPs and IPs are easy to change. So this is not a good method. Instead, I want to detect the accounts using cookies. Do you ...
Hi I'm trying achieve two things with DCOM (Out of process) Set the process wide authentication using CoInitializeSecurity and its parameter pAuthList. Using cloaking to change the caller's identity in special situations (COM calls) My thoughts: AFAIK the auth info structure contains the default authentication information (like us...
I am building a website where I have a need that user should be able to evaluate some expression based from the value in DB tables, instead of using tools like pyparsing etc, I am thinking of using python itself, and have come up with a solution which is sufficient for my purpose. I am basically using eval to evaluate the expression and ...
My app must read an SSL url from a third party. How do I best store the third party credentials in my own database, which protects the third party credentials from being compromised? Consider both absolute security and practicality. One-way hashing the credentials is not useful as I must restore credentials to plaintext for the SSL call....
When __builtins__ is set and I try to access function globals, I get this error >>> def f(): pass ... >>> f.func_globals {'f': <function f at 0x00B83270>, '__builtins__': <module '__builtin__' (built-in)>} >>> __builtins__ = {} >>> f.func_globals Traceback (most recent call last): File "<string>", line 1, in <string> RuntimeError: re...
I'm thinking about good ways to store third party credentials, which basically means there needs to be a secret somewhere, either in code or data. I'm deploying on google app engine. If the 'secret' was something like pw_passphrase = sha2(username + 'global-password') pw_plaintext = aes_decrypt(pw_passphrase, pw_ciphertext) can I dep...
Hello, I want to learn more about sandboxing. Not just about it. I want to learn such that I will be able to write a simple sandbox. Surprisingly, there isn't any information available anywhere. Even the Wikipedia article is not good. Can any one please suggest me good material. I know that its very advanced level concept. So, what ar...