security

问题 Is it possible to somehow view another websites php files/codes? Or to rephrase the question, Can my php codes be viewed by anybody except for those who have access to the file? If so, how can I best prevent this? Ps: Server OS is Ubuntu 9.10 and PHP version is 5+ (Apache2) 回答1: A bug or security vulnerability in the server (either Apache or the PHP engine), or your own PHP code, might allow an attacker to obtain access to your code. For instance if you have a PHP script to allow people to

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 4 years ago . I would like to add licensing system to application. For example: user buys license for 1 month and after that program expires (Kinda Anti-Virus style?). Problem is that application is supposed to run in systems which may or may not be connected to internet , so how to protect

问题 Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability. What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien

问题 I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few different opinions on what form to use. I've seen some resources say HTTP-Auth is the way to go, while others prefer API keys, and even others (including the questions I found here on SO) swear by OAuth. Then, of course, the ones that prefer, say,

问题 I've seen web apps with limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!! 回答1: Clarification This is a completion to the other answers. Using a good implemented captcha alongside an anti-bruteforce mechanism using sessions for example. The questioner marked this as accepted assuming that captchas are unreadable by machines (she's almost right) and so it's getting negative points,

问题 How do I (or can I?) retrieve the cached credentials for the currently logged-in Windows user in Java? I want to reuse these credentials in some other GSS-API calls. Specifically, I'm answering an SPNEGO challenge from IIS. Thanks. 回答1: assuming you are using JAVA 5: com.sun.security.auth.module.NTSystem NTSystem = new com.sun.security.auth.module.NTSystem(); System.out.println(NTSystem.getName()); here is some info on the subject 回答2: If IIS has Integrated Windows Authentication turned on,

问题 I need to programmatically create a directory that grants "Full Control" to the group "Everyone". If I use CreateDirectory(path, NULL); This will, according to the Win32 SDK documentation, create a directory that inherits from its parent directory. I do not want to inherit the access rights of the parent directory I need to ensure that "Everyone" has full control over the directory. Obviously, this will require setting up the SECURITY_ATTRIBUTES structure with the appropriate security

问题 I use BouncyCastle for encryption in my application. When I run it standalone, everything works fine. However, if I put it in the webapp and deploy on JBoss server, I get a following error: javax.servlet.ServletException: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC (...) root cause java.lang.Exception: error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC (...) root cause java.io

问题 I need a PHP function, AES256_encode($dataToEcrypt) to encrypt the $data into AES-256 and another one AES256_decode($encryptedData) do the opposite. Does anyone know what code should this functions have? 回答1: Look at the mcrypt module AES-Rijndael example taken from here $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM); $key = pack('H*', "bcb04b7e103a0cd8b54763051cef08bc55abe029fdebae5e1d417e2ffb2a00a3"); # show key size

问题 If I was setting up a server, and had the SSL certificate(s), why wouldn't I use HTTPS for the entire site instead of just for purchases/logins? I would think it would make more sense just to encrypt the entire site, and protect the user entirely. It would prevent problems such as deciding what has to be secured because everything would be, and it's not really an inconvenience to the user. If I was already using an HTTPS for part of the site, why wouldn't I want to use it for the entire site?