I installed a default installation of PostgreSQL 8.4 on Windows 2003 Server, using the one-click installer provided. Running psql -l for the first time, I noticed there are three databases installed by default: postgres, template0, and template1. Being security-minded, my initial reaction is to delete or change default configurations. H...
I wrote a short C++ program to do XOR encryption on a file, which I may use for some personal files (if it gets cracked it's no big deal - I'm just protecting against casual viewers). Basically, I take an ASCII password and repeatedly XOR the password with the data in the file. Now I'm curious, though: if someone wanted to crack this, h...
I'm trying to run an executable (.exe) from LAN without allowing users access to the contents of the LAN folder itself. e.g. 1) User clicks on a link in their email to an executable at a folder path e.g. I:\Folder A\setup.exe 2) On clicking the link, the installer runs 3) If user tries to access the folder i.e. I:\Folder A\, they are ...
Has anyone been able to successfully implement a service to serve the required socket policy file to FlashPlayer? I am running the Python implementation of the service provided by Adobe at http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html and using the following policy file: <?xml version="1.0" encoding="UTF...
I am trying to write a parametrized query in SQL server that uses a parameter value as part of the XPath, however it does not seem to work the way I would expect it to. Here is my sample: create table ##example (xmltest xml) declare @LanguagePath varchar(75) set @LanguagePath = '(/languages/language[@id="en-US"])[1]' insert into ##ex...
If I have a user that only has limited permissions - just db_datareader and db_datawriter, which should only permit the user to query data and insert/edit/delete data, without allowing the user to add/modify/delete tables in the database. There may be a need for the user to be able to execute stored procedures. If the user is given exe...
I have the following code that is presenting a 'word-of-the-day', As I am relatively new to php coding, I wanted to make sure that there weren't any security issues for how I am selecting from my database from the cookie value. Thanks. if ($word_of_the_day) { $wotd = $wpdb->get_results("SELECT term,definition FROM glossary WHERE ter...
I want to build my web services serving JSON data utilizing RESTful architecture. But I want my own client apps only that can request from my web services. Basically, my web services contain sensitive data that is not for public consumption, but I wanted to build it that way so I can build many different client apps that connects to my...
i work at a place where we build applications that process and store sensitive data. we have 3 environments. Dev, UAT / QA (user acceptant testing) and Production the developers at my work have no access to UAT or Production and have limited access to Dev. All we can do in dev is connect to a dev DB server . we have no access to the de...
I guess someone tries to logon to our sql server and error log is getting bigger. I am running out of space on hdd. What should be the solution? Cleaning up error log regularly? Howto? Disabling access to SQL server? For attacker IPs? For local use only? Howto? Any other? Regards, Burak ...
Most web sites you can log on to also provide the feature so it remembers you between sessions. What's the accepted and secure techniques for implementing that ? (What do you put in the cookies and how do you handle it on the server/db?) ...
I have heard many stories from people who had their sites integrated elsewhere so that the visitors to those other sites would see the original one not even knowing that the site has no own content but just serves some other resource? I understand people are doing that to promote their resources by (ab)using the others' work. Is there a...
From a security perspective, I can see simply doing an 'eval' on incoming JSON data as a critical mistake. If you got data like below you'd have some problems. { someData:((function() { alert("i'm in ur code hackin' ur page"); })()) } I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval...
Maybe the title is badly phrased but couldn't think of a better way of saying it. I am working on a login system at the moment (nothing formal, just experimenting) and was planning on using PHPLiveX (an AJAX library) for some features. Basically you create some PHP functions which are then called via JavaScript. You can add parameters (...
By default, Ruby on Rails stores session data in cookies. This has many advantages, such as the lack of need to setup any persistence layers on the server side. However, the session data is not encrypted, and the Rails app that I'm writing puts potentially sensitive data in the session. I'd like to avoid storing session data server-side ...
Hello everyone, I am using VSTS 2008 + .Net 2.0 + C#. And I am running Code Analysis after build. I got the following confusing security warning. Here is the warning and related code, any ideas what is wrong? If there is security warning, how to fix it? System.Diagnostics.Process myProcess = new System.Diagnostics.Proce...
Hi, I have written two features in SharePoint 2007. One is scoped at Site level and it basically adds a web part to the site collection where it is activated. This feature assembly is deployed under the 'bin' directory. Second is Farm scoped which is my custom SPPersistedObject and is deployed in Central Administration. The assembly i...
I'm not sure how to proceed. I have an idea for a web application(s) but I'm not sure which part to do first. If my application has an authorization and authentication need, do I create that first and then the rest of the program or do I do the other (to me more fun) stuff first and then plug in the user authentication later? I'm not ...
What are the most strange/sophisticated/surprising/deeply hidden software vulnerabilities or exploits you have ever seen? Places in code where you thought that there is no danger hidden, but were wrong? [To clarify: Everybody knows SQL injections, XSS or buffer overflows - bugs which often result from careless coding. But things like Ke...
My henchman is learning PHP currently, and he sent me his PHP code, and I found that he uses $_REQUEST in his code. The textbook I read says that $_REQUEST has security problem so we better use $_POST. so I replied to the henchman that we better to use $_POST. Is this OK? ...