If I use http://site.com/index.php?page=45 everything looks ok (wanted page loads). But when I go through http://site.com/index.php?page=45' or http://site.com/index.php?page=45" (quotes are added after digits) page prints an error: Unhandled Exception (Debug) You have an error in your SQL syntax; check the manual that corresponds to y...
Hi, I would like to see how Joomla / Drupal do their validation / security, where are the input validation scripts located? ...
Hi all: I am working on a login section for a new project, which definitely requires user authentication. The easiest way of doing that I assume would be using the http basic authentication. I implemented it fine on the Apache server, ssl was also intorudced to provide better security. However, one thing concerns me, that it seems the...
I have a temporary folder generated by my business application and wish for the documents within to be only available for around 30 minutes. I was tempted to build an index to keep track of when each file was created but that would be a little silly for just temporary files, they are not of too much importance but I would like them to re...
Hi all, I want to map 127.0.0.1 to multiple names instead of the standard way as localhost. so my /etc/hosts file in ubuntu would have the following entries 127.0.0.1 localhost 127.0.0.1 localhost:extra1 127.0.0.1 localhost:extra2 Now, In my sql, i want to have a user named karthick and it should have different privile...
By default, the Django database host/user/password are stored in the project settings.py file in plain text. I can't seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an attacker has access to the settings file, then all is probably already lost. Even if the the fi...
My friend found a problem in my script, it gives acces to root files. This url gives passwd file: http://site.com/attachment.php?file=../../../../../../etc/passwd How to escape this security hole? ...
Hi. I got: public interface IRepository<TE, TK> where TE : class, IEntityId<TK>, new() where TK : struct { IQueryable<TE> Query(); void Create(TE entity); void Update(TE entity); void Delete(TE entity); } The Query method should return a data list via Entity Framework 4 ORM. Use case: I need all august orders...
I am a relatively experienced hobbyist web developer, but am concerned about my lack of knowledge covering potential security holes in web sites/services. I am looking for documentation covering best practices regarding security, especially when dealing with SQL databases. Attempts at searching are being thwarted by the fact that Google...
In recent versions of PostgreSQL users are implemented as roles that can login. Is this common in an RBAC implementations, that a user is just another role with the ability to login (or similar)? Some of what I've read so far doesn't suggest that... but maybe I've misread or just not read the right thing. ...
Hi all, I've been reading into virtualization security and came across Blue Pill, a malicious thin hypervisor (project website is down, archived version here: http://web.archive.org/web/20080418123748/http://www.bluepillproject.org/). My question is: could a custom malicious hypervisor modify execution flow, inject and execute arbitrar...
Apparently I'm able to net use * http://servername.com and this concept is completely new to me. Does this mean I'm using WebDAV? What are the security implications? How can I read/write files in this manner? Why doesn't it work for every website? Is it possible to write files using this method? ...
Hi. I found this modified .htaccess settings for extra security, but it doesn't seem to work. Here it is : # Apache configuration file # httpd.apache.org/docs/2.2/mod/quickreference.html # Techniques in here adapted from all over, # including Kroc Camen: camendesign.com/.htaccess ServerSignature Off # you probably want www.exampl...
Hi, I am working on a server application which will have quite a fair number of client devices accessing it. The problem is we cannot guarantee that the client devices will always have access to the server. It is perfectly possible for a device to be outside the network for 1 week or more. In the meantime, we still want the device to wo...
At a recent interview, I was asked: Open source web app (say built on Struts/Spring) is more prone to hacking since anyone can access the source code and change it. How do you prevent it? My response was: The java source code is not directly accessible. It is compiled into class files, which are then bundled in a war file and deployed...
I would like to use AES (192 or 256 bits), but am stuck on how to generate a key from a user supplied password. I have gone through this thread, and am able to run the program in Java 6. However, I need to run the same program in Java 5, and SecretKeyFactory for PBKDF2WithHmacSHA1 is not available in JDK 5. So, essentially, I need to g...
Following up to my old question here: http://stackoverflow.com/questions/3125248/vb-net-secure-passwords-to-database Where would a person start who wants to make a web service to allow a public desktop application to submit bug/crash data to a MS SQL Database without containing the database information. I created an app a while ago and...
Hi, I have an applet which is present in a signed jar. This applet uses another 3rd party jar file which is unsigned. On launching the applet I get the Mixed code warning which I want to avoid. To solve this issue, I added "Trusted-Library: true" to the unsigned jar which is being used by my applet. But, it still throws SecurityExcept...
I have a form like this: <form id="form_main" name="form_main" action="/search/" target="iframe001" method="get" onSubmit="reset_and_subm();"> Enter key wont submit this form in IE6, but will in Chrome, FF, Opera, Safari, and IE8 (haven't tested IE7 yet). IN FACT, NOT EVEN PRESSING THE SUBMIT BUTTON SUBMITS THE FORM. I have tried for ...
Hello, I am testing the permissions in mssql and run into a problem. I've made a 'Countries' table and a 'spCountries' Stored procedure. Now I've made a user 'silverlight' and gave it no rights to the Countries table. The user can execute the stored procedure. Now when I do a Select it fails like it should, but in a exec spCountries, a...