Jump to content

ajoo

Members
  • Content Count

    831
  • Joined

  • Last visited

Everything posted by ajoo

  1. Hi, It however does not show up in the list of topics to indicate that a topic is answered and closed. Wish you could do something about that too ! Thanks
  2. Hi requinix, I do have a recommended link at the top of the page. and there's a Featured Link , like a star in a down arrow, on Gizmola's post. So how do we do it ?? This would serve nicely to show that the topic is answered and closed ! Thanks !
  3. I think this feature was really great since one could save tons of time by simply focusing on looking for a solution from answered questions instead of going through each & every similar question. Further it let one zoom down directly to the correct answer in the thread ! really sad ! Thank you.
  4. Hi Gizmola & Requinix, Thanks for the inputs. You were correct, both that is. There was a path error in the xsendfile module. Gizmolas reply set me thinking. I cannot find the button that would set this thread as solved with a best reply else I would do so. Thanks again !
  5. Hi all ! I hope someone can check my last thread of this topic and offer some advise. Thanks all !
  6. Hi requinix and all ! So here's my related question that I mentioned in the last mail. I have 2 VPS's identical in all respect and working. In the first VPS, my /var/www folder is organized as follows: and in the 2nd VPS as There is a folder called images inside the aboveroot1/(2) folders in both VPSes. This stores images of the registered users and is mostly there for the purpose of editing, though not by the user but by an admin. folder permissions on images in both VPSes is drwx-wx---- or (730) while the file permissions are -rw-rw--- ( 660 ). While VPS1 displays the pictures from images folder just as it should, in the form, VPS2 fails to do so. I suspect that the 2nd method is the right way of setting up symlinks and that VPS1 is exposing the aboveroot1 folder as publicly accessible. If my assumption is correct and I go the VPS2 way, then, how do I display the picture files from inside the images folder? Can i do that by changing permissions on the folders OR would i have to expose the images folder and bring/move it from inside the aboveroot1(2) to under the webroot ? I hope i could explain my issue clearly and look forward to your replies and suggestions, Thanks all !
  7. Hi requinix, Long time ! I hope you are good. The actual error was really dumb. I had not changed the https port 443 back to 80 in the conf file of the new server where there was no SSL certificate. So that seems to be a configuration mismatch. However I do have a related question which I will ask later since I am trying out a few things to be a little bit clearer or sort it altogether. It has to do with symlinks. I'll come back later. Meanwhile this issue is sorted. Thanks loads.
  8. Hi all, There seems to be something else the issue. Since I have recopied the actual directories and files back into public, still it rums the default index.php outputting the default ubuntu page. So it seems not to be a symlink issue but something else. I would be grateful for any hints on what i should look for or try , Thanks all
  9. Hi all, My project folder on my ubuntu server lies at this location (a) : /home/vagrant/website I had copied my project at /var/www/public/ ( I created the public folder under /var/www/. The other folder by default is html which contains the default index.php displaying the phpinfo) I now wished to create a symlink to my project folder at (a). SO i deleted my project folder and files under the public folder and instead created the symlinks. This is what the public folder looks like now: vagrant@vagrant:/var/www/public$ ls -l total 0 lrwxrwxrwx 1 vagrant www-data 28 Jun 19 10:21 project -> /home/vagrant/website/project lrwxrwxrwx 1 vagrant www-data 27 Jun 19 10:21 proj_inn -> /home/vagrant/website/proj_inn lrwxrwxrwx 1 vagrant www-data 27 Jun 19 10:21 mylibs -> /home/vagrant/website/mylibs vagrant@vagrant:/var/www/public$ However when I try and access my project page on the browser, it does not show up. Instead the phpinfo page from the default index.php is displayed. Am I making a mistake or can't symlinks be used as I am trying to use them?? Thanks all !
  10. Hi requinix !! Thanks for the reply. You know, at first, I thought the "undefinedtestfest.php" was a file on some remote server trying to do something fishy. Taking a closer look, i assumed that maybe it was a php error, (only that it was a funny way to do it), but then I thought why would the server report something in this manner and not the usual way? But then again I thought since the scripts are invoked through an embedded movie, probably that's why it's displaying in this manner. It never thought that this could be a JS error, probably because I was concerned it maybe someone trying something fishy on my machine through a malicious script. I'll look into the js. Thanks loads !
  11. Hi all, I used my localhost after a long time. The embedded flash movie tries to load data from the server via a file called testfest.php when the browser blocks a pop which has this message. pop up blocked on the page : http://localohost/myproject/undefinedtestfest.php Does this indicate something malicious? Should I unblock the pop-up and see what happens or maybe that would be unsafe? If this is suspicious then what should i be checking for ? Thanks all !
  12. Hi Guru Barand & all ! Please can someone help me out with this. @Guru Barand: SIr it's not working even when I put the params directly in the JQuery as in #3. Kindly guide. Thanks all !
  13. Hi Guru Barand, Thanks for the reply ! I just tried as follows : In the HTML HEAD block I added <head> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <script language="javascript">AC_FL_RunContent = 1;</script> <script src="AC_RunActiveContent.js" language="javascript"></script> <script type="text/javascript" src="fl.js"></script> </head> & created the fl.js simply as $(document).ready(function(){ if (AC_FL_RunContent == 0) { alert("This page requires AC_RunActiveContent.js."); } else { AC_FL_RunContent( 'codebase', 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0', 'width', '550', 'height', '400', 'src', 'AS3_swf_php_comm_1', 'quality', 'high', 'pluginspage', 'http://www.macromedia.com/go/getflashplayer', 'align', 'middle', 'play', 'true', 'loop', 'true', 'scale', 'showall', 'wmode', 'window', 'devicefont', 'false', 'id', 'AS3_swf_php_comm_1', 'bgcolor', '#ffffff', 'name', 'AS3_swf_php_comm_1', 'menu', 'true', 'allowFullScreen', 'false', 'allowScriptAccess','sameDomain', 'movie', 'AS3_swf_php_comm_1', 'salign', '' ); } }); leaving aside the flashvars for the moment. If i paste the contents of fl.js using <SCRIPT>tags directly in HTML, all works fine. But with the fl.js as above, I get a perpetually loading fevicon symbol and the disabled flash player symbol saying "Click to enable Adobe Flash Player". There is no other error or anything else in the chrome inspector. If I comment out the params section in the fl.js and simply put an alert, the messages appears and there is no perpetual fevicon. Of-course no running swf either. Please help. Thanks.
  14. Hi all. The code embedding the swf file using AC_RunActiveContent.js looks as below: <script type="text/javascript" > AC_FL_RunContent('codebase','http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0','width','800','height','580','align','middle','src','FlashWebsite','quality','high','bgcolor','#ffffff','name','FlashWebsite','allowscriptaccess','sameDomain','pluginspage','http://www.macromedia.com/go/getflashplayer','movie','FlashWebsite' ); </script> 1. I would like to run this off a .js file so that this could be CSP compatible & would replace the above code. 2. I also need to pass two php variables as FlashVars in the above code. For eg like this FlashVars = "var1=$var1&var2=$var2" So I would need to pass these two variables from php into the .js file that i wish to create in 1. i would be much obliged for any help on this. Thanks all !!
  15. Hi requinix yes that's correct ! If I may bring to your attention to some of the questions I asked previously. This is to tie best.php to the session to ensure greater level of security perhaps. and finally I am not sure how to create this key using different parameters. Please illustrate with a small example code if that is not too much trouble. Thanks loads.
  16. Hi requinix ! Thanks for the reply. I am passing it through as a encoded string into the loading movie. It works. Maybe you could just demonstrate how to use the timestamp, domain and a message together with the secret key. The function usage is straight forward. Now that I think about it, the best.php, that's invoked by the loading movie is lying on my server but is not connected to my main movie. It's as if the movie tunnels through and invokes best.php. The question is how do i tie best.php to the movie through sessions. If i generate a hash_mac in the HTML/ PHP file that embeds the loading movie, ( the dummy movie), how do I pass this hash_mac value to best.php, since the two are really not connected through a session ? I hope this is clear to you. Thanks a ton.
  17. Hi requinix, Thanks loads ! The network tab won't give away the movie URL since I am not using a URL to load the movie. Shouldn't the server create the hash of (#1 in your reply) and pass it along with the movie. Then the movie should pass that back to the server, which will verify the hash along with the time window, and then invoke best.php which will load the 2nd movie? Maybe that's what you are saying and i am interpreting it wrong? Please May I request a small implementation ex. of the hash_hmac using timestamp, domain_name, and a secret key. Thanks loads.
  18. Hi dalecosp & requinix, Thanks for the replies. @dalecosp : hmm, that's what I did and that's where I got the response and request headers from. What should i further check for under the network tabs? @requinix : I think I have already put in quite a bit. If possible, that is what i would like to prevent. The first movie is a dummy to load another through the script. The first movie checks for the domain and if it is on the correct one, it loads the 2nd movie via the php script. Right now I am not sure if the script can be run without the movie or not. I know that movies are never truly safe, yet I want to make it as safe as i can by making it difficult to access. Thanks.
  19. Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doubt clearly enough. I hope that the experts can either confirm or allay my fears. Thanks all.
  20. Hi Kicken, Thanks for the reply. I have actually tried out your suggestion and I could manage to send the swf, loaded into a string using file_get_contents, into flash. If I echo out the string in php, this is what it gives. But strangely, the length of the string = undefined in Flash. So I am unable to manipulate it. Does this have to do with the fact that the .swf is a binary file format? How can I then store and retrieve it back as a byteArray? Thanks loads.
  21. Hi Kicken, Thanks for the reply. I want to read the swf as it's binary executable form and store that into an array. Bytecode is the binary executable that is loaded into memory when executing a .swf file. Thanks.
  22. Hi, Is it possible to read the bytecode of a an uncompressed swf file into a binary array in php? If so, how? Thanks all !!
  23. Hi requinix ! Thanks for the reply. I think maybe I was not able to explain the problem clearly enough. As t happens I needed to make only a few changes in the code in loaddata.php and jquery to get it working. Thanks you.
  24. Hi all ! I am using this tutorial and I am modifying it to include csrf protection. The index.php uses getToken(); to generate an anti-csrf token which is then inserted in the form as a hidden input field as below: <tr> <td> <select id="country_dropdown" > <option value="-1">Select country</option> <?php while($stmt->fetch()) { ?> <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option } <?php // token added as hidden field echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> </select> </td> </tr> <tr> <td> <select id="state_dropdown" > <?php echo $_SESSION['token']; // debug ?> <option value="-1">Select state</option> </select> <?php // The token does not change even when it is changed in loaddata.php. The change values // does not get reflected here. So adding the below code is useless, so commented out. // echo '<input type = "hidden" name = "token" value = "'.$_SESSION['token'].'" />'; ?> <span id="state_loader"></span> </td> </tr> This scheme works if the same token is to be used for all drop downs. If I change destroy and change the token in loaddata.php, the ajax response file, where the data is sent and received from for proceeding to the next drop-down, the change in the token value is not reflected in the index.php since, i guess, that file is not refreshed to load the new token value. So how can I make this work? Please help. Thanks !
  25. Hi all, I would like to clarify 2 aspects of flash security and confirm if they can be intermixed to make an attack. SO the aspects areis :- 1. The flash application on the original domian is embedded by a hacker/cracker in another page served from another (hacker) domain. 2. The flash is decompiled and served from the hacker domain. The one that actually worries me and i would like to ask about is the intermixing of the two. Let's assume that the flash application (swf file) has been downloaded and de-compiled by a hacker and he removes whatever little protection there is in there to check if the swf is running in it's original domain . Now he can upload that into another domain (hacker domain) and serve it from there. The question is a) What about the data that the movie requires to be run. This data is placed on the original server. Can hacker domain somehow get the data from original server in real time and server it to users from hacker domain to whomsoever? if so how and how difficult it would be. b) if the original server uses secured sessions and user verification (via a login panel of-course) before serving the files , would the above (a) still be possible if at all ? c) What if the hacker is also a legitimate user and is able to log in into the original server as a user? Or is that not a big deal ? if the data can be hijacked and used in real time by the hacker domain, what measures can effective block it and prevent it? Thanks all !
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.