Hello, I'm trying to secure a WCF service using windows accounts. The service should run on many systems with different languages. How can i set a PrincipalPermission that has language independent role names? I found ugly workarounds like this one. [PrincipalPermission(SecurityAction.Demand, Role = "Builtin\\Administrators")] // Englis...
I'm currently using the following code in my cms to check if visitor is logged in as admin so that he can edit the current page: if($_SESSION['admin']=="1") { echo "<a href="foobar/?update">edit</a>"; } But I'm worried that the code is unsafe. Can't $_session variables easily be modified by the user? What would be a safer pra...
Question: I have some performance problem in my app - and the bottleneck is sun.awt.image.ImageFetcher.run, and I canno't get any (more) meaningfull info from profiler. So I figured that it would be nice to look at jobs that ImageFetcher is doing. I couldn't get access to FetcherInfo class, that holds all ImageFetcher jobs. To obtain ...
Hello! Please consider the following setup: Multi-tenant webapp. Tenants create company accounts and company accounts have user accounts under them. Users have roles, there's a special role "Owner" (the user who created the company account). I'd like to have users to edit other user accounts (some admin tasks), but two conditions mu...
I've been using a custom function for some time now to prevent clickjacking on certain sites. However, I've been surprised to find there's not a lot out there about how to do this 'idiomatically' using the various popular JavaScript frameworks. Are there users of jQuery, Dojo, YUI, and/or ExtJS that have used their framework to implemen...
.NET code access security has been around for a long time, yet it seems to hardly ever be used in the real world. To my way of thinking, this seems like an excellent concept, and one I had not seen prior to .NET. (Does it exist in other languages?) I would like to know if anyone is proactively using it in their projects and why? For t...
POSIX.1e was going to define ACL (Access Control List) mechanisms for POSIX (amongst other security-related issues), but the proposals were never converted to a formal standard. Nevertheless, ACLs (not necessarily POSIX.1e ACLs) are supported at least optionally in all the main variants of Unix (Linux, BSD, MacOS X(ACL), HP-UX, AIX (p10...
Hi I am having a trouble during impersonating a user. I have a method declared like this: [PrincipalPermission(SecurityAction.Demand, Name=@"DJPITER-PC\Test", Role="LocalTestGroup")] static void LocalTestGroupOnly() { Console.WriteLine("Inside LocalTestGroupOnly() - {0}", WindowsIdentity.GetCurrent().Name); } The calling...
I am using the Membership.Provider for security in my MVC Application. I have a forgot password page that asks for your username, and then gives you the secret question on file. My question is how to a check the secret answer against what is on file. I can't seem to find any method that does that besides Membership.Provider.ResetPasswo...
Our company is trying to implement a few single sign-on applications using Active Directory (Windows Server 2003) and LDAP. I would like to lock down the account used to make these LDAP queries as much as possible. What is the best practice for configuring this type of account? ...
First some background to my question. Individual entities can have read Permissions. If a user fails a read permission check they cant see that instance. The probelm relates to introducing Lucene and performing a search which simply returns a list of matching entity instances. My code would then need to filter entities one by one. Th...
how Ican use declarative security("[PrincipalPermissionAttribute(SecurityAction.Demand, Role = "")]) but I don't want to check role I need to check the permissions for that role? scince I have roles and permissions for each role how I can use declarative security for permissions? Thanks for help ...
In an application that needs to open a database connection, the username/password details must be sent to the database. What is the most secure way of storing, and using, this data? ...
how can I override PrincipalPermissionAttribute SecurityAction.Demand method? ...
I need to filter the unreliable $_SERVER['PHP_SELF'] varialbe. Is this a good approach: function filterPhpSelf($str) { $phpself = basename(__FILE__); $str = substr($str, 0, strpos($str,$phpself)) . $phpself; return $unsafeStr; } where $str is $_SERVER['PHP_SELF']? ...
I get an UnauthorizedAccessException everytime I try to access (just read) a file on a network share "\\server\folder1\folder2\file.pdf." I am impersonating the domain\aspnet user which has read & write access to the above mentioned folders. The file is not read-only. I tried finding the permissions via System.Security.Permissions.F...
So I'm a slightly seasoned php developer and have been 'doin the damn thing' since 2007; however, I am still relatively n00bish when it comes to securing my applications. In the way that I don't really know everything I know I could and should. I have picked up Securing PHP Web Applications and am reading my way through it testing thing...
So this code has the off-by-one error: void foo (const char * str) { char buffer[64]; strncpy(buffer, str, sizeof(buffer)); buffer[sizeof(buffer)] = '\0'; printf("whoa: %s", buffer); } What can malicious attackers do if she figured out how the function foo() works? Basically, to what kind of security potential pr...
For my web application, people can upload images from a web form to my web server. What should I set the CHMOD settings for that image upload directory so that people can upload images (from the web server) to that directory but not execute any files they upload for security reasons. Would the chmod settings be? : chmod 744 directory/...
I need a way in Perl to strip naughty things, such as XSS, image interjection, and the works. I found HTML::StripScripts but it hasn't updated in close to two years, and I'm not up to date with all the new exploits. Is it safe? What other markups languages (in Perl) would you use? ...