I recently discovered an issue where people using BB Code to enter links are able to manipulate them. They are meant to enter something like: [LINK=http://www.domain.com]example text[/LINK] However they can enter something like this to make the link color red: [LINK=http://www.domain.com 'span style="color:red;"']example text[/L...
I think the title says it all, prettymuch. A little further detail: I'm running a site where users can submit Javascript freely Other people will preview this Javascript 'live' There will be basic measures in place to stop naughties like eval(), but inevitably some may unfortunately slip through The site is mysite.com, I gather runnin...
Hi folks, I'd love to use Google Caja to run user-submitted Javascript 'live demos' in a sandboxed, safe environment, however I see it's Java-based and really have no idea how I'd practically set this up on a shared host (specifically, MediaTemple's (gs)). On (gs) I have access to SSH and can install things via command line but it is ob...
I have a strange error on a specific Windows Server 2008 R2 machine (it works on other 2008 R2 machines) when starting a Windows Service. The service uses Common.Logging and log4net. However, on this specific machine the config section handler for Common.Logging can not be created. It fails with the following stack traces (formatted for...
Is there a commonly accepted pattern (or class library, or etc.) for throttling certain form submissions for PHP MVC applications? I'm specifically thinking of the scenario where someone is running a dictionary attack against one of your login forms, and you want to block them after X requests in Y seconds, or if a certain pattern of re...
I am trying to begin a download using the AndFTP Intent API. The file can't be found. I am using this as a reference: http://www.lysesoft.com/products/andftp/ (bottom of page) I have tried a couple of combinations of Host and remoteFile1 but am bad at path syntax. I get either [filename] not found, or cannot change directory. Also when...
Hi guys, I've been looking into PHP security for over a month, after all the posts, tutorials, comments, replies to comments, making fun of comments, and then some more comments, I'm left pulling out my hair, while I admit I have really thick hair at this rate I'll be bald in no time. It seems that there is NO GOOD GUIDE to security, pl...
Hi, I will be using online payment soon for e-commerce website. It will a solution called 'mercanet' that is provided by Atos Solutions and used with BNP Paribas bank. It'll use binary file to do the request, and as far as I read the documentation, I just have to provide some information to a file and then get back an array of the resul...
The question says pretty much everything. My point is, is the user able to change his cookie's values in order to appear "logged", when he's not really logged? ...
I read an answer about guid and it was fairly interesting. It seems that GUID is based on time and v1 uses a MAC address with v4 using a RNG. From the wiki Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random; given full knowledge of the internal state, it is possible to pre...
I have a username and a password for an smtp server. Currently they are hardcoded in my code: string userName = "username"; string password = "password"; Currently, anyone who disassembles my dll could see these strings, correct? I wish to store these securely in the registry, in case of future changes to the smtp server, and/or the ...
If I had let's say a sensitive report in PDF format and wanted to send it to someone, what is the most secure way? Does a desktop application make it more secure? Since we are basically doing a client to server communication via private IP address? Then add some kind of standard encryption algorithm to the data as you send it over the w...
I'm getting this exception when trying to access a JAX-WS webservice running on the same WAS 7.0 server as the client. Caused by: javax.xml.ws.WebServiceException: java.io.IOException: Unable to deserialize the Subjects in this Context, cause: the realms do not match I have a realm set up for user authentication and this call works fi...
Hi All, I just finished creating a new user for my database in SQL Server. I had 4 tables I wanted to grant Insert, Update, Select and delete permissions. I did this manually in the Securables area of the new user. Is there a better way to do this that to have to touch each object? if so, how? Thanks, rod. ...
How is the password sent from browser to server in case of non-ssl transfer? I want to use bcrypt to hash password+salt before sending.... but it seems there is no javascript implementation for the bcrypt algorithm... is md5, SHA-1 good enough? PS: My site does not store any user personal information.. I just want that user intended ...
Hi, I have a website with wordpress 3.0. I noticed that /wp-admin displays the following error today. Warning: Cannot modify header information - headers already sent by (output started at /www/sites/..com/files/html/wp-includes/default-constants.php:299) in /www/sites/..com/files/html/wp-includes/pluggable.php on line 890 I used IE...
I use $_POST to read data sent through HTML forms to the server, narrowing down attacks exposure. How can I strengthen security, using some kind of tokens in the form? The tokens could be readable however with a sniffer..... EDIT * I agree the message above is generic...I'll try to give more details! Ok, a PHP/Server generates emails...
I know I am missing something in reading the Provider Authentication Policy Extension spec: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html It reads to me that you ask the Open ID Provider (OP) to perform some extra level of authentication. The OP then responds back to you telling you if it performed...
I want to create a WordPress plug-in but also want to ensure that the plugin can only be used after it has been activated with a serial key that should be unique for each domain. What is the best way to go about it assuming: I have to give the actual source code to the users and cannot have a VideoPress type of security - which is jus...
When working with the access rules returned by GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount)) how can I tell if the NTAccount object referenced in each rule is a user account or a group? Update: I was able to solve this as follows. Note, the intent of this code is to return True if the NTAccount is a grou...