I'm developing a Windows intranet application in C++ which needs to download a settings file from a predefined URL hosted on a webserver on the intranet.
This file would be updated every few weeks and I need to get it only if it has changed.
To avoid unnecessary downloads I wanted to know if there is a standard HTTP method to only request the hash of the file to the webserver to prevent a full download if the file has not changed.
I'm still in the design phase and the idea would be to use CURL library on the client to download the file and Apache as a webserver, but I'm also open to other solutions.
Related
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I would like to open PDF file inside my Django application, something like
file:///...
I know that a lot of posts state that this should not be done because security reason, and that google block this calls with error. link.
But, I know that:
I saw this behaviour so, I know it can be done somehow
I don't have security risk, because application is internal, not connected to the internet (available over lan)
Protocol file:/// wouldn't exist if there wouldn't be a way to use it.
I also read somewhere that you need to put file in 'public' if you would like to access it via this method. Do anyone know how to do this?
file:// is only available for browsers, not servers.
If you want your Django application to access local files, you need to upload them to the Django application server (at which point they're not really local).
(If the application server is running on the same machine as the client, naturally you can use Python's usual file functions to read the local file system.)
JavaScript can also access local files and process them in-browser as long as they're manually selected by the user.
I am working on a ColdFusion application which required to scan a file for virus before it upload to server.
Is it possible?
There's no guarantee that the user even has an anti-virus program in the first place. Even if it was possible for JavaScript to call a desktop program on the user's computer (it can't), you wouldn't know if there was one or which one they had.
Your only choice is to upload the file to your server:
Verify that the file being uploaded is of the correct mime-type and content for what you're expecting.
Make sure that you upload it to a folder that is not publicly available to your website.
Run it through the anti-virus program on your server
There are more tips for securely uploading files on Pete Freitag's site.
I'm facing a problem when I deploy a DTSX File to a production server.
In the DTSX file I consume a WebService through the Web Service Task,
The WebService asks for a WSDL File that it has to download from a local path.
There is no problem in my machine, but in the production server it won't ever exists.
I think it is not acceptable to ask to my client to get me permissions to enter in his production server and create a folder to store that wsdl file. In addition what will happen when the wsdl changes? I will have to deploy my dtsx package again and also replace the wsdl file in the server. So I think it is not an option.
So, my question is,
Is there a possible way to avoid to have a physical file with the wsdl especifcation, or it could be deployed within the dtsx deployment package, or save it in a variable, or how else I could do that?
I've been searching a lot, but still not luck.
Any help would be really appreciated.
To achieve this, one option would be to make use of Script Task and with the help of .NET namespace System.Net.WebClient, you can access the WSDL URL path and download the contents of the WSDL file to the system's temporary folder path. You can get the system's temporary folder path, which is the value of the environment variable TEMP, using the .NET method System.IO.Path.GetTempPath(). The newly generated temporary path of the WSDL file can be then stored in an SSIS package variable, which can then be configured in the Web Service Task for it to use instead of relying on a local path. Initially, during development you will need to have the WSDL file in the local path but once you deploy the package to the production, the WSDL file need not exist on the local drive.
Hope that helps.
I am trying to create simple flex application, which uses django as a back-end part. Have a question:
Usually when I run my application Flex Builder creates a file in a directory on my local PC and then opens a browser and points to it. Everything was fine, but when I decided to link django server to flex applications via xml data providers I started to get security errors. (Related to absence of crossdomain.xml). When I created the file and put it on the server:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="http://127.0.0.1:8000"/>
<allow-access-from domain="127.0.0.1"/>
</cross-domain-policy>
Then tried the application again, I got error in console of my FB Error: Request for resource at http://127.0.0.1:8000/go/active/ by requestor from file:///Users/oleg/Documents/FB3/usersList/bin-debug/usersList.swf is denied due to lack of policy file permissions.
I don't know how to fix the error. But also the question is there a way to configure FB3 to put my swf files to the server directly, so I will not need any crossdomain?
Thanks
Oleg
We struggled with this a lot. The Flex security stuff didn't strike me as well built, but perhaps we just had different approaches in mind than Adobe's developers. The solution that worked for us was to serve both the SWF and the dynamic data from the same host and port.
On our development boxes, we tell Apache to serve the SWF from a directory in the workspace, and the dynamic data from a local copy of the app. When we push to production, SWF and app get pushed simultaneously to the same virtual host.
If that's inconvenient for you, the Apache ProxyPass directive can be used to make Apache front for other servers. I've not used that in production, but it's been very handy for developer setups.
I don't know a way to get FlexBuilder to automatically deploy your changed SWF; you could certainly look into an automation approach (like Maven and Flex-Mojos) to make that happen.
That said, getting rid of that error is usually just a matter of adding a policy file to the server.
The second error is caused because you're trying to fetch http resources from a "file" location. My recommendation is that you change your Flex Builder project so it outputs to a location within the Django web site, rather than to the flex-bin directory. This setting can be changed in the properties dialog of the project. Then, you should be able to have your front-end and back-end share the same protocol and domain.