I am trying to create simple flex application, which uses django as a back-end part. Have a question:
Usually when I run my application Flex Builder creates a file in a directory on my local PC and then opens a browser and points to it. Everything was fine, but when I decided to link django server to flex applications via xml data providers I started to get security errors. (Related to absence of crossdomain.xml). When I created the file and put it on the server:
<?xml version="1.0"?>
<!-- http://www.foo.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="http://127.0.0.1:8000"/>
<allow-access-from domain="127.0.0.1"/>
</cross-domain-policy>
Then tried the application again, I got error in console of my FB Error: Request for resource at http://127.0.0.1:8000/go/active/ by requestor from file:///Users/oleg/Documents/FB3/usersList/bin-debug/usersList.swf is denied due to lack of policy file permissions.
I don't know how to fix the error. But also the question is there a way to configure FB3 to put my swf files to the server directly, so I will not need any crossdomain?
Thanks
Oleg
We struggled with this a lot. The Flex security stuff didn't strike me as well built, but perhaps we just had different approaches in mind than Adobe's developers. The solution that worked for us was to serve both the SWF and the dynamic data from the same host and port.
On our development boxes, we tell Apache to serve the SWF from a directory in the workspace, and the dynamic data from a local copy of the app. When we push to production, SWF and app get pushed simultaneously to the same virtual host.
If that's inconvenient for you, the Apache ProxyPass directive can be used to make Apache front for other servers. I've not used that in production, but it's been very handy for developer setups.
I don't know a way to get FlexBuilder to automatically deploy your changed SWF; you could certainly look into an automation approach (like Maven and Flex-Mojos) to make that happen.
That said, getting rid of that error is usually just a matter of adding a policy file to the server.
The second error is caused because you're trying to fetch http resources from a "file" location. My recommendation is that you change your Flex Builder project so it outputs to a location within the Django web site, rather than to the flex-bin directory. This setting can be changed in the properties dialog of the project. Then, you should be able to have your front-end and back-end share the same protocol and domain.
Related
I am just about to go live with a website and am addressing security issues. The site has been public for some time but not linked to the search engines.
I log all incoming requests and today noticed this one:
GET /home/XXXXX/code/repositories/YYYYY-website/templates
where XXXXX is a sudo user on my server and YYYYY is my company name.
This is actually the structure of my Django project code.
My website is coded using Django and runs under Apache2 on Ubuntu.
My question is how can this guy possibly know the underlying code/directory structure on my server, in order to create this request?
Their IP is : 66.249.65.221.
They come up as 100% a hacker on https://ip-46.com
Any contributions welcome.
EDIT1 25/11/2019
With some helpful input from Loïc, I have done some investigation.
The Ubuntu 18.04 server is locked down as far as logging in goes - you can only get in with one of my private keys. The PostgreSQL is locked down - it will only accept connections from one IP where my dev machines reside. RabbitMQ is locked down - it won't accept ANY external incoming connections. The robots.txt allows all crawling but the robots meta restricts access to about 12 pages only.
Somebody who knows Django, would know how to form this directory path if they knew the Django project directory but they also have this relative to root on the server. The only place where this is available is in the Apache2 config file. Obviously Apache needs to know where to pick up the Django web server.
I am 99% sure that this 'hacker' got this via some sort of command to Apache. Everything is redirected to port 443 https. The above GET request doesn't actually do anything because the url doesn't exist.
So to make the question more refined. How can a hacker pull my Django absolute project path from my Apache2 config file?
There are a lot of different ways to learn about the directory structure of a given server.
The easiest usually being error logs;
If in your django settings, DEBUG is set to True, it is very easy for an attacker to get the directory structure of your project.
Then there is LFI, a security issue allowing an attacker to read local files. It's then possible to read some logs, or apache configuration to learn what is your project directory...
The problem could come from another service running on your server as well...
One cannot really give you a complete answer on this topic, as there are a lot of different ways this could happen.
I've created a web application that runs a web service (WCF). The source code is long gone but I just checked that the app itself is still up and running. Given that I have the address to the service (something.azurewebsites.com) and the name of one of the methods exposed (parameterless Ping), how can I learn the location of the WSDL file?
As far I recall, I've exposed it the most common way, the publish file fetched from the suggestion on Azure portal. I'd like to just call the method Ping to verify something, so rebuilding a whole new service seems a bit overkill.
Suggestions on what the exact URL might be? Alternatively, suggestions on a tool to sniff that up?
Go to the Azure portal and find the FTP address for your "something.azurewebsite.net". Then use an FTP program to connect to the server and browse the files. This way you might be able to find the ".svc" file. For that matter, you might be able to download all of your code and use a tool like Reflector to view the .Net compiled code.
I am still a newbie to Python and Django. I am developing a application using Django which will eventually go to the production server. It's a customized web application for the client. After doing some research, I found out Apache with mod_wsgi is the best option for Django deployment. I just have to copy and paste the code into the production server and the application is accessible. But what if I don't want to give the whole source code and give only the executable application to the client(P.S client wants to deploy the application to their own server). Is something like this possible in Python/Django?
You could only give them the .pyc files corresponding to your source code files. That will make it slightly harder for them to look at your source code. However, it's a very limited measure (i.e. they can still recover some of the structure from your source code), and it's probably a bad idea.
I have a setup with one authoring site and two remote publishing sites.
If I publish from the /Home/ content tree from authoring that is reflected in all remote targets.
If I publish from any other content tree, say /Quotations/, that is not reflected in any of the remote targets. It is, however, reflected on the authoring machine's "Internet" site so the changes are being published locally.
The log file on the authoring site says that the publish of the Quotations content tree worked correctly and that N number of items were published (varies depending on how much I change and/or if I do a full or incremental publish but N is about what I expect it to be).
I'm feeling I've missed something in configuration but not sure where to look.
Many thanks!
rjsjr
A couple of ideas:
Are the templates and other items needed on the remote targets there to properly store the content? If "Quotations" is using different templates that aren't published onto the remote target then you may be publishing empty content items.
Are the remote targets configured within Sitecore's config files to be the proper databases to be pushing the content?
Time for another approach, could we isolate the problem to being one of the following:
DB server. This would be taking the database for the remote target and running it on another web server to ensure that the DB is doing everything correctly in terms of serving up the data.
Web server. This would be taking the web server that hosts the remote target and pointing it at another server to see that there isn't anything wrong with the web server like a misconfiguration in IIS or something like that.
Connectivity between the two. This is what is left if the DB works with another web server and the web server works with another DB server as each part can be eliminated as the problem being solely in one area.
Or do we know it is that last one that is the ugliest one to try to debug?
Are Home and Quotations siblings of each other? If not, then there may be something above Quotations that is the source of the problem.
That I don't know. I'd be tempted to ask this on the Sitecore forms on their site if you are certified in Sitecore you should be able to access it.
I deployed webservice written in .net language through IIS from my local machine,Is there any possible way to access remote HTTP server which contain different OS and different technologies
Sorry for being confused, but can you define:
different OS and different
technologies
Do you mean deploy your webservice to another host or
Do you mean consume a webservice from another host?
Option 1
If the host is not running IIS/ASP.NET I think you are going to have some issues as Mono may not run what your code base requires.
But you could try the following:
publish your site to a folder
zip up that folder
scp/ftp/upload this zip to the remote server
unzip the files (or upload individual files/folder) to directory configured by IIS Management
try to run
Option 2
You need to use either the svcutil tool to create the proxy clients to consume that webservice or you use the Add Web Reference in Visual Studio to automate this for you.
Hope this answers your requirements. Update your question with more information for the community to offer more support.
I think that is one of the main things that web services are for.