I have a questions, and I would love you to try to answer it.
Is it possible to get the list of files from a remote folder in java, knowing just the URL???
for example:
http://localhost/img get all the images names in this directory.
Thanks in advance
When you are talking about a remote folder, it depends on how you are accessing it.
If it is via a network share, such as \localhost\mypath AND you have access to browse the files, you will be able to do so, just like you would with a local directory.
However, if you are trying to browse a directory on a web server, the web server would have to give you directory browsing ability for you to work with it.
Related
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I would like to open PDF file inside my Django application, something like
file:///...
I know that a lot of posts state that this should not be done because security reason, and that google block this calls with error. link.
But, I know that:
I saw this behaviour so, I know it can be done somehow
I don't have security risk, because application is internal, not connected to the internet (available over lan)
Protocol file:/// wouldn't exist if there wouldn't be a way to use it.
I also read somewhere that you need to put file in 'public' if you would like to access it via this method. Do anyone know how to do this?
file:// is only available for browsers, not servers.
If you want your Django application to access local files, you need to upload them to the Django application server (at which point they're not really local).
(If the application server is running on the same machine as the client, naturally you can use Python's usual file functions to read the local file system.)
JavaScript can also access local files and process them in-browser as long as they're manually selected by the user.
I've created a web application that runs a web service (WCF). The source code is long gone but I just checked that the app itself is still up and running. Given that I have the address to the service (something.azurewebsites.com) and the name of one of the methods exposed (parameterless Ping), how can I learn the location of the WSDL file?
As far I recall, I've exposed it the most common way, the publish file fetched from the suggestion on Azure portal. I'd like to just call the method Ping to verify something, so rebuilding a whole new service seems a bit overkill.
Suggestions on what the exact URL might be? Alternatively, suggestions on a tool to sniff that up?
Go to the Azure portal and find the FTP address for your "something.azurewebsite.net". Then use an FTP program to connect to the server and browse the files. This way you might be able to find the ".svc" file. For that matter, you might be able to download all of your code and use a tool like Reflector to view the .Net compiled code.
I am hosting my website on a linux server with php5 (no mySQL). Now I am the administrator, and I'm building my first website. I want to know about security, how do I secure my site from malicious injections and hackers? With the htaccess file? And what do I need to put in there?
Any help appreciated.
Thank you
If you have no SQL, you don't have to worry about injection attacks.
Security for your site depends on what you have running on your site. If it's only PHP, I suggest keeping important code which may reveal things such as passwords and authentication keys or functions in a separate php file outside of your wwwroot and include them.
Example:
Your website runs in /home/wwwroot/
Put your php files with important data or functions in /home/privatephp/
Now in all your php files where you want to use those private functions or call on data that you want hidden, you simply use
include (../privatephp/privatestuff.php); at the top of each php file.
Your privatestuff.php file can contain such things as
$adminusername="imtheadmin"; or $adminpassword="adminpassword";
Then you can simply reference those variables in any PHP file where you have used the include command.
I am trying to create simple flex application, which uses django as a back-end part. Have a question:
Usually when I run my application Flex Builder creates a file in a directory on my local PC and then opens a browser and points to it. Everything was fine, but when I decided to link django server to flex applications via xml data providers I started to get security errors. (Related to absence of crossdomain.xml). When I created the file and put it on the server:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="http://127.0.0.1:8000"/>
<allow-access-from domain="127.0.0.1"/>
</cross-domain-policy>
Then tried the application again, I got error in console of my FB Error: Request for resource at http://127.0.0.1:8000/go/active/ by requestor from file:///Users/oleg/Documents/FB3/usersList/bin-debug/usersList.swf is denied due to lack of policy file permissions.
I don't know how to fix the error. But also the question is there a way to configure FB3 to put my swf files to the server directly, so I will not need any crossdomain?
Thanks
Oleg
We struggled with this a lot. The Flex security stuff didn't strike me as well built, but perhaps we just had different approaches in mind than Adobe's developers. The solution that worked for us was to serve both the SWF and the dynamic data from the same host and port.
On our development boxes, we tell Apache to serve the SWF from a directory in the workspace, and the dynamic data from a local copy of the app. When we push to production, SWF and app get pushed simultaneously to the same virtual host.
If that's inconvenient for you, the Apache ProxyPass directive can be used to make Apache front for other servers. I've not used that in production, but it's been very handy for developer setups.
I don't know a way to get FlexBuilder to automatically deploy your changed SWF; you could certainly look into an automation approach (like Maven and Flex-Mojos) to make that happen.
That said, getting rid of that error is usually just a matter of adding a policy file to the server.
The second error is caused because you're trying to fetch http resources from a "file" location. My recommendation is that you change your Flex Builder project so it outputs to a location within the Django web site, rather than to the flex-bin directory. This setting can be changed in the properties dialog of the project. Then, you should be able to have your front-end and back-end share the same protocol and domain.