security

问题 Windows displays UAC prompts on the "secure desktop" when certain security-related operations need to be performed. There's obviously some API somewhere that creates the secure desktop and creates a window on it, but I have no idea where I would find out about the mechanisms involved. I guess I could reverse engineer the UAC mechanisms, but I'm not that good at that level of reverse engineering (and I'm pretty sure there's some legal ramifications involved...) Anyway, I know there's an API to

问题 I have to encode a field so to make it secure of script injection. I know I can use HttpUtility.HtmlEncode and Decode, but this method for HI-ASCII characters goes out of the range of the field size in database and I dont want to change the size of data field column. Instead if I use HttpUtility.HtmlAttributeEncode, it works fine because it does not encode the HI-ASCII characters. Is it safe what can be the disadvantages of it. 回答1: From HttpUtility..::.HtmlAttributeEncode Method (String):

问题 I m working on one project about certificates and digital signatures in Java, but i cant understand following situation. Certificates of sender and receiver of document was valid when signature is created. But in time, when receiver received document, certificate of sender had expired. Is that valid situation, so receiver can normally verify signature, or he cant? One more question. For what is used Non-repudiation key usage? 回答1: A digital signature will remain cryptographically correct even

问题 I have a situation where I am opening a file based on the $_SERVER['REMOTE_USER'] variable. I don't think this is spoof-able but would just like to confirm. I do not want to make myself vulnerable to the reading of arbitrary files: <? $user = $_SERVER['REMOTE_USER']; $fp = fopen("./$user.png","r"); ?> 回答1: Yes, that username is whatever is specified by the remote user. You need to verify password as well. If password is verified by your server, and not your application, then you are probably

问题 I'm making an application in PHP and there is a requirement that it must be possible to decrypt the passwords in order to avoid problems in the future with switching user database to different system. Consider that it's not possible to modify this future system's password method and I need plain text passwords in order to have the passwords generated. The plan is to encrypt the user's password with a public key that is stored on the server. Authentication is done by encrypting the input and

问题 Im building an app which uses Sqlite DB. Users can enter their information into the db and retrieve them. However, I want them to be able to backup the sqlite db. What I did was putting the sqlite db in the documents folder, so they could retrieve it out using iTunes. For example if the ipad is faulty, i want them to be able to transfer the sqlite db to another ipad. The problem now is, I dont want them to know the information inside the db, should say the db structure. So how can I build a

问题 I have an an intranet website running under IIS6 (under a specific port, not the default one) with a integrated windows authentication enabled and uses an application pool configured with a service account. the issue is, if I access the website using the server name with a fully qualified domain in the URL, it throws a login prompt (doesn't work even if enter my windows login credentials), but if I use the IP address of the server then it works fine. Please let me know what I need to do to

问题 Microsoft released their out of band release to fix the security flaw in ASP.NET the yesterday. What methods did Microsoft use to end the viability of this vector? 回答1: A great summary of the changes comes from http://musingmarc.blogspot.com/2010/09/ms10-070-post-mortem-analysis-of-patch.html Don't leak exception information - This prevents exploits from seeing what is broken. Don't short-circuit on padding checks (take the same amount of time for padding correct verses padding broken) - This

问题 Microsoft released their out of band release to fix the security flaw in ASP.NET the yesterday. What methods did Microsoft use to end the viability of this vector? 回答1: A great summary of the changes comes from http://musingmarc.blogspot.com/2010/09/ms10-070-post-mortem-analysis-of-patch.html Don't leak exception information - This prevents exploits from seeing what is broken. Don't short-circuit on padding checks (take the same amount of time for padding correct verses padding broken) - This

问题 My question is about certificates specifically in ssl but I think the questions should apply to all certificates. I have included the SSL procedure for the sake of clarity. In SSL this is what I understand to be the procedure: 1)Client sends supported crypto algorithms sends client nonce 2) Server chooses (and sends) a symmetric algorithm a public key algorithm a MAC algorithm sends it's certificate sends server nonce 3) Client verifies certificate Extracts public key Generates a pre-master