I have a main controller to handle the very front-end of my authentication system, it handles login, logout, update user info, etc. functions that I anticipate calling by POST'ing from views/forms. What about something like a "delete_user" function though? My thoughts are a button in someones admin panel would say "Delete Account" and it...
I'm trying to setup web2py on my Fedora server, and the instructions, written for Debian, are telling me to install it in the /users/www-data directory. I realize that Fedora uses a default 'apache' user for running Apache, and Debian uses a 'www-data' user, but there's no corresponding /users/apache directory on my machine... Here are...
I am delivering a module for a website that will collect information from a user and make appropriate calculations. The client wants any data collected from the user to be encrypted. We are using SQL express 2005 as the database. Thanks in advance. ...
Need to avoid the conformation dialog. ...
This has been asked many times, but none of the answers are satisfying, I looked online for secure tutorials but I have not found something good enough you would want to use in an important website. It just seems like there are so many ways to get around security. Does anyone know of a GOOD one? What do you guys do when you build a webs...
When you run a Java Servlet Container that you would like to serve both static and dynamic content on port 80 you have the classic question of whether to run the server as: As root in hopefully a chroot jail if you can (haven't gotten this working yet) As a non root user and then use IPTables to forward port 80 to some other port (>102...
Apologies, this is a tragically simple question that will bore most of you. I need to implement the simplest "leave your email and we'll contact you" web page. The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. Easy to implement, but now I'm wondering if ...
We have a webapp written in .NET that uses NTLM for SSO. We are writing a new webapp in Java that will tightly integrate with the original application. Unfortunately, Java has no support for performing the server portion of NTLM authentication and the only library that I can find requires too much setup to be allowed by IT. To work ar...
How can I make the Auth component of cakephp create, use and store a random salt with the password? ...
Most of the online sites on registration do send a link to activate the site and on any further correspondence with the end user they provide information about the site and also provide the login credentials with password in clear text (as given below) Username - [email protected] Password - mysecretpassword What would you do in such a ...
I have a classifieds website, and on each classified there is a tip-form where users may tip a friend about the classified. The tip-forms' action is set to a php-page, which mails the email after sanitizing etc... I have to filter away spam etc so that my email-server don't get blacklisted or anything... I have my own server (VPS, Linu...
After deployment of new version of our ASP.NET 2.0 application, it started to raise security exception: „System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.“. After quick research on internet we were ...
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to tran...
I am looking for an encrypted version control system . Basically I would like to Have all files encrypted locally before sending to the server. The server should never receive any file or data unencrypted. Every other feature should work pretty much the same way as SVN or CVS does today. Can anyone recommend something like this? I ...
This is PhpSecInfo Report for our servers: I cant access to php.ini for fix warnings. I want to know, Could the hacker access to database with this settings? I have a very simple site that read data from database. There is mysql_real_escape_string, numeric data filter, sprintf vs in my queries. Please help me about this issue. Thanks a...
I have a section of my content tree which I would like to deny ALL permissions to except for specific roles. This seems like a really obvious task to perform, and yet I don't see an example of it in the Security Administrator's Cookbook and I can't figure out an easy way to do it using the security tools. I must be missing something ob...
I am developing a web app that connects to a SQL 2000 database. Everything works perfectly on my database (which is actually SQL 2008) but when I try to migrate it onto another server (that's actually running SQL 2000) I get some strange errors. I'm getting Login Failed for the username that the web app uses, so I did my normal troubles...
Hi I am trying to figure out all the ways javascript can be written. I am making a white list of acceptable tags however the attributes are getting me. In my rich html editor I allow stuff like links. <a href="">Hi </a> Now I am using html agility pack to get rid of attributes I won't support and html tags for that matter. However ...
Hello all! I'm just about to release a website I've designed into the wild, but before I do, I would love some help determining whether I have made any silly security mistakes. Since I'm using shared hosting rather than dedicated, this is a very important concern. After much research and tutorial-reading I've done the following: All P...
Hi I just don't know what to think anymore. It seems like the people who made javascript went out of their way to allow it to be written a million different ways so hackers can have a field day. I finally got my white list up by using html agility pack. It should remove <scrpit></script> As it is not in my white list plus any oncli...