A few days ago, there were a couple questions on buffer overflow vulnerabilities (such as Does Java have buffer overflows?, Secure C and the universities - trained for buffer overflow, to name a couple) which can happen in imperative programming languages such as C. In functional programming, (from the very limited exposure I've had fro...
Is there really a way to do this ? Retrieving raw .php file from the server (other than getting into server's FTP account) ? Is this the reason why there are tools/script to encrypt php source code ? If it's true, then how to protect against it ? (without using php source code encryption) edit: the server mentioned has php running, eg....
Is Django a good choice for a security critical application? I am asking this because most of the online banking software is built using Java. Is there any real reason for this? ...
I am upgrading a client's e-commerce webstore and have hit a bit of a snag. The store is a custom-made set of PHP scripts. At each sale, the credit card is charged via the merchant account interface, and then the order is e-mailed to the client's desktop INBOX. However, as the company grows, this became unscalable, as the client spends ...
I have a client/server application and I'm wondering what is a secure method to implement registration of new clients with the server. So far, I have the following: A user downloads the client from them web, and installs it. During the installation the client registers with the server and receives a secret key (certificate). Each follo...
Hello, I have to ensure the security of a asp.net website at work. they ask me to do a role based security with the active directory of my work so i could do a sitemap and give the right acces at the right personne. wich class of the framework should i use? make generic identity? ...
Hi I have coded some JavaScript to perform an ajax call in an asp.net application. This triggers a method that calls a URL, sending some parameters in the POST. The receiving page processes the data and updates our database. We will be providing this code to customers to allow them to send us the data we need in their checkout process...
I have a TSQL script that is used to set up a database as part of my product's installation. It takes a number of steps which all together take five minutes or so. Sometimes this script fails on the last step because the user running the script does not have sufficient rights to the database. In this case I would like the script to fail ...
I'm in a bit of a strange dilema. Please bear with me as I try to explain it! I'm using forms authentication and am storing additional user information in another table (referenced UserID from Forms Auth, encrypted SSN, Salt value). When users register to the site, I ask SSN, DOB and LName and verify against our system before they crea...
I'm using DCOM to provide various application services on a Windows network, using Kerberos to handle authentication. The system normally works fine, but I'm running into issues accessing the service from a separate (trusted) domain. Particularly, the service is unable to make callbacks to the client application, receiving the error "A s...
I am going to be building a web app soon where I will need to have a security model such that different users have access to different parts of the application and/or different sets of data within those specific parts of the app. I am debating between the following two methods of implementing security: White List: By default users have...
During SSAS 2008 installation the Account provisioning tool comes up and you can select the current Windows user (or other windows user). However that account was deleted prior to adding another user as the administrator. In 2005 the tool existed on the server and could be run manually, however I’m not seeing it in 2008. I assume I ca...
How can i retrieve the bytecode and make a hash to see if someone has manipulated with my bytecode in-memory or on file? EDIT: Does signing the binaries protect the code from being modified and executed? As much as I want to protect my users from making sure they are running my software. I would also like to protect the program (server)...
Running as an elevated admin on Vista SP1, my C# app tries to set the following rule with the following code. No error is produced, but neither is any change on the directory's ACL. What am I missing? public static void Main( string args[] ) { string dirPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonAp...
I am maintaining a public website (no authorization required) that uses web services over https to perform various operations. Most of the calls to the web services are invoked from javascript. What has recently occurred to me is that a malicious hacker could, if he/she chose to, call the webservices directly in an attempt to play havo...
Hello all, I've been meaning to post on here for a while but always find the information I need; up untill now of course! I would appreciate any help you may be able to offer in regards to code access security, and in particular dll's on a network share. I am looking for a way to dynamically load assembles for reflection, instantiation...
I'm working on a flex application which needs access to the microphone. By default, the security preferences show up when our application tries to access the mic, but we would like to know what the value of these settings are before the mic is actually being used for recording. This would enable us to display help to the user, for inst...
This is somewhat related to How to avoid Outlook security alert when reading outlook message from C# program. I use MyPhoneExplorer to manage my cell phone, but whenever it syncs with Outlook I get that pesky message box every time. I am getting tired of both hunting down that checkbox / button combo and to answer the same thing over an...
Can't set Ifilter debugging on Vista. Per instructions at http://blogs.msdn.com/ifilter/archive/2007/02/06/debugging-ifilters-with-wds-3-0-and-windows-vista.aspx ... I use regedit to set HKLM\Software\Microsoft\Windows Search\Gathering Manager:Debug Filters to 1, but when I click OK, I get message results in error "Cannot edit D...
This question comes from my experience with the following question: http://stackoverflow.com/questions/492748/new-responses-icon-on-so-crashes-ie7-closed In that question, you will see the effort I put fourth in debugging this crash in IE, and in doing so, I can see the potential threat of exploitation and remote code execution. So, be...