I'm working with a database (let's call it DB_data) that contains all of the tables for a series of applications. In an attempt to minimize downtime during upgrades, a facade database (let's call it DB_facade) has been created which has a view for each of the tables in DB_data. It also contains all of the functions and stored procedures,...
I am using this command on my mono VM sudo mozroots --import --sync It appears to be getting the cert from this site. I then try to connect to my ssl site and i get the exception that the cert is invalid. I use firefox and see the cert was issued in 2010. I looked at that file and see the last time its been updated was 2009-05-21 12...
I have a whole series of commands that I need to run on login, many of which require root privileges. So, to save a few steps I put them all into one apple script so I wouldn't have to open the terminal. But still, I'd like to be able to do this without entering my password at all (I like to boot my machine early AM while I'm still sle...
Hi everyone. I'd like to (from code) launch a process with highly restricted privileges. Can save files, but only in its own folder and limited to a quota. Can use memory, within a quota. CPU time (including any subprocesses it launches) is limited to a quota. Can't talk with any other process except it's own and the interface to my c...
Hello. I'm building a website for a sports center. Registrations are handled through a third-party software program. There are options to register directly through the third party's site or to integrate the registration form into my site with iframes. Since I'd rather not send people to another site, I went with the iframes option. My...
I am looking for a book (or some other resource) where the most common bugs are explained and shown the proper fix. I am particularly interested in vulnerable bugs that trigger a CVE ...
I have a website in which all the pages are processed through an index.php that includes different PHP files depending on the requested URL (this is done through mod_rewrite). I'm using the following method to execute specific functions at page load: index.php <script type="text/javascript"> readyFns = Array(); </script> <?php // Do ...
Hi there I was wondering whether it's possible to configure different security options for a single web service without differentiation of the URI. The service should support authentication based on Certificate on the Transport level and based on Username on the Message level. When I define two endpoints where each references its corres...
I am storing my sitemaps in my web folder. I want web crawlers (Googlebot etc) to be able to access the file, but I dont necessarily want all and sundry to have access to it. For example, this site (stackoverflow.com), has a site index - as specified by its robots.txt file (http://stackoverflow.com/robots.txt). However, when you type h...
I have the requirement to allow users to view the content of a document library, including browsing through folders, but not actually open the individual files. There doesn't appear to be a permission to restrict users from opening files, but still display them. Naturally it is an option to create a view that doesn't have the 'open lin...
Hi Guys, I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages. First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more...
I would like to create a site-wide hash to be used as salt in creating password retrieval tokens. I have been bouncing around stackoverflow trying to get a sense of the best way to do this. Here's the reset process: When a user requests a password reset email the code generates a retrieval token: $token = hash_hmac('sha256', $reset_h...
When developing sites using Dreamweaver, it creates a _mmServerScripts directory on the root of your site. We've been reading that this folder contains SQL statements that are vulnerable to attack. We would like to avoid this all together, if possible. Is this folder even necessary? Can you do anything to Dreamweaver to tell it to never ...
I'm planning to distribute an application over the internet with Java Web Start, and I'm aware that I'll need to sign the application to enable certain security privileges (network connections, dynamic class loading etc.) What is the best way to create/obtain a signature for this purpose? In particular I'm interested in: Minimising t...
I have a graphical user interface for my company product. I want to secure the data being sent back and forth between client and server. Is SSL one of the options? if yes, Please can some1 tell me the steps on how to implement it in my application code. Do i need to buy the certificate or can i make it.. which is the best choice? Any...
I am hosting a Java web service on a AIX unix box using JBoss. Some of the web methods browse the unix file structure (IE GetDirectoryFiles returns all files for the directory path passed in). I want to integrate this with the unix security so that the caller would pass in a username/password at the session level and they would be limi...
Hi all. I wrote a function that gets the balance from PayPal. To connect properly I'm passing the user, password and certificate as parameters. Every thing looks ok until something throws an Exception inside and php prints all the parameters (user details in this case) on the stacktrace. I'm logging everything to a file so users wouldn'...
I read many articles about unsafe functions like strcpy, memcpy, etc. which may lead to security problems when processing external data, like the content of a file or data coming from sockets. This may sound stupid, but I wrote a vulnerable program but I did not manage to "hack" it. I understand the problem of buffer overflow. Take this...
I am creating a socket connection with an unsigned applet to a different host and I'm getting java.security.AccessControlException: access denied If I sign this applet with either "self-cert" or "CA cert" does the applet gain the permissions to create a socket connection to a different host (not the same host it was downloaded from) and...
I have a wordpress theme with an options page. I have included a basic export/import options feature. The export feature allows the users to download the options to a text .dat file and store them on their own computer. The import options button reads a .dat file and overwrites the current options in the database. Then the file is delete...