I'm hearing frequently this question when discussing with a Java developer. They (java devs) always ask if your lang of choise have security and I don't know what to respond to that. Could anyone please tell me what Java security means ? Thanks. ...
Imagine the following PHP file: <?php $topSecret = "Something important"; ?> If I put this on a server running the standard LAMP setup, how could someone could find out $topSecret? If the variable is not echoed, is it vulnerable? A real application of this might be database credentials stored in the web root of a server. ...
I want my application (PHP, but that shouldn't matter) to store some data in a shared repository (the APC user cache, but again irrelevant). To prevent users from reading eachother's data I'd like to encrypt it per user. I could have the user specify the key in his configuration file for the application, but I'd rather generate it autom...
I am on Linux, obviously. PHP scripts seem to be running under 'www-data' user. I can also see that uploaded files end up in the default /tmp directory, each with a name prepended by "php". All standard, I guess. The permissions of all these files is -rw------- i.e. 600, user 'www-data', group 'www-data'. The problem is that I have a Pos...
I called MediaTemple for support months back and the gentleman on the phone asked me for my password over the phone. I thought he was going to just log in to my account using the web interface, but he was actually comparing it against the version that was right there in front of him. It pissed me off at first (because I used the same pas...
What is the difference between a cer, pvk, and pfx file? EDIT: Also, which files do I keep and which am I expected to give to my counter-parties? ...
Im interested in how I could use a scripting language to execute simple blocks of code in a sandboxed manor. The host language/environment could be c#/ruby/python/java (anything but c). But the scripting language could equally be something obscure such as javascript/python/ruby/perl etc. What I want is a way of executing script with tr...
I am getting the following Best Practice error in Dynamics AX 2009 for any menu item assigned my primary security key (we'll call it MySecurityKey1). "Wrong security key. Security key must match position in main menu." I have the following items in my project: Menus MainMenu (Dynamics default item - security key is blank) ...
Hi, I’ve got an application that uses SQL Server Express 2005 SP3. This application is distributed to several hundred users, each of whom is running XP. However, our company will be moving to Windows7 soon. My application uses the bulk insert operation in SQL Server, and it runs fine in XP. However, in Windows7 I need to open SQL Ser...
Now that JavaScript libraries like jQuery are more popular than ever, .js files are starting to contain more and more of a site's logic. How and where it pulls data/information from, how that info is processed, etc. This isn't necessarily a bad thing, but I'm wondering to what extend this might be a security concern. Of course the real ...
My client has a Flash projector EXE and he wants to set-up an on-line serial number control system so he can sell it on-line. The key problem in this project, as far as i see, that the exe is required to run on only one computer. My current plan is below: Request the serial number from user before the installment and check whether it...
I am making a web application in PHP and want to read content from a other domain. For that i have to options fopen and curl but what are the differences like security / options etc.? and what is the best way to use and why ? does it matter if the url from the other domain is a http or https site ? ...
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET. I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so...
We would like to cryptographically (SHA-256) hash a secret value in our database. Since we want to use this as a way to lookup individual records in our database, we cannot use a different random salt for each encrypted value. My question is: given unlimited access to our database, and given that the attacker knows at least one secret...
Hello, If I want only administrator to access the action called "ManagerUser", I know I can do this: [Authorize( Roles = Constants.ROLES_ADMINISTRATOR )] public ActionResult ManageUser( string id ) { } What if I want to give everyone access except to administrator? I do not want to write all roles up there on function :|. Any recomm...
I'm searching for a guide that describes how to implement a working frame buster that also deals with people that dont have JS activated in their browser. I read this very good question but i'm absolutely not interested in any advice like "dont do that yourself" or "maybe try...". i want to see a paper, with a step to step guide explain...
I have some older code that doesn't use a SecurityManager but does use RMI. From what I have read RMI requires a security manager, but the code seems to work and run fine on the same machine and between two machines. I have tested this stuff on 1.5, but not on 1.6. I can't find any resource that discuss when a SecurityManager is requi...
Hi Guys, I'd like to use the built in directory security features built into the web.config to restrict access to child pages of a parent page. My structure is as follows: Members Members/News Members/Press Members/Movies Users should be able to have access to the members parent page, but not child pages. My problem is, because I ...
I'm wondering if anyone has written or come across any implementations of bcrypt in JavaScript. I'm not against writing the code myself but if someone with a stonger background in cryptography has already written one why reinvent the wheel? Especially considering I'd probably come up with a shoddy wheel. [edit]: Following the links pro...
Hi, Scenario is like this: I have currently logged in user. This user would like to remove his own account. He clicks button, then Membership.DeleteUser function runs. After this he is still logged in into service despite that his account was successfully deleted. How can I force to log out him after his account was deleted? ...