Non secure webApp showing unauthorised access on submission ?

Similar Messages

• SSO to ITS through WebSEAL gives secure/non-secure messages

  Hi
  We running the following setup:
  EP6 SP14
  Stand-alone ITS 6.20 patch 18
  4.7 R/3 Enterprise
  TAM/WebSEAL 5.1
  We are running SSO through WebSEAL to the portal and everything seems to be working just fine.
  But when we try to access a transactional iView or an IAC iView running on the ITS server I get a pop-up message saying "This page contains both secure and nonsecure items."
  We are accessing WebSEAL through HTTPS, we are running HTTPS between WebSEAL and the portal and HTTP between WebSEAL and ITS.
  I have tried to access the ITS through WebSEAL without using the portal, and I still get the message. So it must be something between the WebSEAL and the ITS server.
  Does anybody have any ideas what is causing this?
  Cheers,
  Jacob Vennervald

  The "secure and non-secure" message, displayed when accessing ITS through WebSEAL when using IE and HTTPS, is caused by an empty source reference (<IFRAME ... SRC="" ...>) within the ITS menu page (...d_menu.html).
  The integration guide, available on the <a href="http://www-1.ibm.com/support/docview.wss?uid=swg24003605">IBM website</a> and the <a href="http://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/developerareas/ibm">SAP SDN</a>, contains the information on how to stop the message from appearing.
  The message should not be displayed when accessing ITS through WebSEAL using HTTP.
  Regards,
  Peter Tuton.

• My DVR security sofware that I access remotely uses a "dvr .ocx" file....when I try it in Firefox , either the latest non beta (3.6.1.5) or the new beta version (4.0 rc) it will NOT work as it says the plugin is missing... it works in IE 8,but not IE9...

  My machine is Top of the range (my Company builds them so it had better be :) )
  Amd 1100t , 8gb ram , Windows 7 64 bit etc, etc...
  The is not a hardware problem , but a software problem with FF...Any help would be appreciated as I hate using IE 8 for anything at all :( but I have to keep it on my machines just to run my remote security cameras at my Computer shop ???
  Original question...as question length is limited ...not very bright that limit by the way :(
  "My DVR security sofware that I access remotely uses a "dvr .ocx" file....when I try it in Firefox , either the latest non beta (3.6.1.5) or the new beta version (4.0 rc) it will NOT work as it says the plugin is missing... it works in IE 8 (unfortunately) but not IE9...
  As I own a Computer company I am fairly computer literate but cannot find a plugin that allows this to work in Firefox.... but I would have expected it to work in the new Firefox :(
  All the best, Brett :)

  The longer this thread continues, the more ancillary comments you throw in that aren't directly pertinent to your problem with your DVR software not working with Firefox 4.0. Sorry, I don't intend to continue with this discussion.
  I do agree that ''something'' needs to be done better with regards to plugins for Firefox, but I do disagree with you as to whose responsibility that ''something'' is.

• Secure and non-secure access to the web application in one war

  Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
  My questions are:
  a. Is this possible, or a reasonable requirement or a good practice?
  b. if yes, what can we do to make it happen in the security intercepter implementation?
  c. If not, what is the technical reasons?
  Thanks much.

  a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
  b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked.

• SSL problems with "non-secure elements"

  hello all
  We have made a WEB application based on Tomcat and Apache Struts. We have setup with SSL.
  SSL goes to Apache HTTP server, which speaks with Tomcat via apj13.
  The problem is that IE sometimes shows error message "This page contains both secure and non-secure elements. Do you want to
  display non-sescure elements ?". I think it has to something with javascript, because after that error massage
  javascript doesnt work anymore. If I click javascript error icon, it says "access is denied".
  That erorr happens randomly, I cant repeat it at the same place.
  Can anyone help me somehow ?
  At what circumstances IE displays that error ? We use version 6.0
  Maris Orbidans

  It turned out to be a Micro$oft bug
  http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b269682
  It seems that IE 6.0 has the same bug as 5.5.
  SYMPTOMS
  When you are using Secure Sockets Layer (SSL) and you click a link, you may receive the following warning message:
  This page contains both secure and non secure items. Do you want to display the non secure items?

• ST03N shows users accessing transactions even when not logged in

  Hello all...
  We are trying to determine how many times a user executed a transaction during a specific period, and are using ST03N to do this. 
  We get the information fine, but it shows non-system users as having accessed transactions on days they are not logged in or it shows excessive use of a transaction (i.e 8000 times in a 20 day period). 
  We have confirmed that no batch jobs or system jobs are running or have run under their ID's.  Additionally, it shows use of transactions which the users are not authorized to use.
  Please help as we are trying to explain this for SOX purposes.
  Cheers all!
  Joe Johnson

  Thanks for the replies...
  We can use AL08, but it doesn't show any user activity for the specific users that keep popping up in ST03N.
  RFC calls seem to be closest to explaining this, but how can one track the calls made by a user?  Additionally, if the ID is not authorized to perform a transaction shouldn't the RFC call fail?

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• Setting previleges to a non-root user account to access ports

  Hello ,
  I am tring to do an icmp-ping to a machine in the network from an application by connecting to icmp port through a raw socket.
  My question is i am able to connect to icmp port using raw socket only in root user account. But my application should run under a non root user account and do the ping for me.
  1)How do i set previleges to a particular user to access icmp port?
  I am running the application on solaris 9
  2)I read a paper on net saying ports from 0 to 1024 can only be accessed by a root user account?
  Why is this and what can be done for a non-root user account to access these ports.
  3) Is this possible in solaris 9.
  Thanks in Advance,
  cheers,
  pal

  There is only one solution: create a new Standard user account and set it as your auto login account, if you use that feature.
  Using what you describe is mostly a false sense of security. Were someone to hack into the computer they could hack into the standard account, so you would not wish to keep any sensitive data in that account. Other things to consider:
  Turn on your Firewall in Security & Privacy preference panel.
  Use software to mask your online presence such as ProxyCap 2.03, MacProxy, Proxifier, or Hotspot Shield.

• Mozilla to phase out non-secure HTTP

  Mozilla has announced its intent to phase out all use of "standard" HTTP, replacing it by the (more-)secure HTTPS.   This involves:
  Setting a date after which all "new" features will be available only to secure websites
  Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy....
  The second element of the plan will need to be driven by trade-offs between security and web compatibility.  Removing features from the non-secure web will likely cause some sites to break.
  https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

  Thank you, thank you, thank you FredMcD!! It was my AVAST anti-virus software. I had the "Web Shield" turned on, so all I did was turn it OFF, so now I can browse on the Internet on any website. When you first install Avast anti-virus, the Web Shield by default is turned on. This really should be turned off as not to freak out new users, especially by those that are not computer savvy. I cannot thank you enough! Take care. :-D

• Security pane in preferences is missing cookies, databases and non-secure forms options?  Also Privacy Pane is totally blank?

  I wanted to delete some cookies.  But when I went to the Security Pane in Safari Preferences, it does not show any of the following categories/settings option:  nothing for cookes (nothing for accept or show or anything else about cookies), nothing for databases, and nothing for non-secure forms.  No controls for these are showing in the Security pane.  Also, the Privacy Pane in Safari preferenes is totally blank--I can't set anything on that.  Where are these controls/settings options, why can't I see them?  I am using OSX 10.6.8 and Safari Version 5.1.9, I have a Mac Book Pro 3.06 Intel. Thanks. 

  Uninstall SIMBL as follows. Back up all data before making any changes.
  Triple-click the line below to select it, then copy the text to the Clipboard (command-C):
  /Library
  In the Finder, select
  Go ▹ Go to Folder...
  from the menu bar, paste into the box that opens (command-V), and press return. A folder will open. From that folder, delete the items listed below (some may be absent.) You may be prompted for your administrator login password.
  Application Support/SIMBL
  InputManagers/SIMBL.bundle
  LaunchAgents/net.culater.SIMBL.Agent.plist
  ScriptingAdditions/SIMBL.osax
  Log out and log back in.
  Make sure you never reinstall SIMBL. It’s likely to come bundled with another third-party system modfication that depends on it. If you want trouble-free computing, avoid software that makes miraculous changes to other software, especially built-in applications. The only real exception to that rule is Safari extensions, which are mostly safe, and are easy to get rid of when they don’t work. SIMBL and its dependents are not Safari extensions.

• Securing data from dba access , like Credit Card Details

  Hello ,
  is there any way of hiding CC details from all users in db level except specifc users
  enrypting cc data like oracle hashed passwords
  for ex,
  case (1)
  user 1 ( has access to these details )
  select acc#,customer_name from cc_details
  output : it will show all the details decrypted
  case (2)
  user 2 : ( doesnt have access )
  select acc#,customer_name from cc_details
  output : it will show all the details encrypted
  both in db level , like using sqlplus or toad
  any idea!
  thanks and regards,

  Hi, Peter,
  You wrote:
  Can you please document the problems you mention for Patch Sets/ CPU?
  What are the vulnerabilities? Search Alex's Web site but didn't find anything in regards to >DBVault.I've told about these
  http://dms.aladdin.ru/file.php?id=d7eb03f7f47ec3c68f4b1f1fe3317119
  http://dms.aladdin.ru/file.php?id=88cf1d7a962eddf7e57e2447d1e5b207
  and may be this
  http://dms.aladdin.ru/file.php?id=232eb8ed58d04295bb3920dbe805358d
  (Note: The link will be valid until 26 Jun 2008 GMT).
  In reg's to reading data from datafile, that's where TDE comes into the picture; then no-one can read from data file directly.
  There is no user who owns TDE; TDE is enabled on a database-wide level. So the >normal data owner (who is the only who should have full access to his own data with >DBVault) can use TDE to encrypt; no extra privileges needed.I’ve told about the user who is the owner of the database wallet (usually SYS). He can temporary disable encryption, takes the data, then restore encryption.
  DBVault and TDE should be the perfect match for 'securing data from dba access , like >Credit Card Details'In other words we have yet another administrator (DV owner) instead of the good old SYS :)
  And I have a question: in case the protection with DV of some tables was made from the SYS, can he make (in example) full backup or full export of the data (his ordinary administrative tasks)? If yes, then it isn't protection, if no, then...what?
  The solution is somewhere else, I think

• Non-secure DDNS security risk?

  We are running a 2008R2 domain. Our DCs are also DHCP/DNS(ADI) servers. The DCs are also member of the DNSUpdateProxy group. We do not have an account being used for passing Dynamic Update credentials.  I read something from Ace Fekay that said
  this is not recommended for DCs, with DNS/DHCP to be in the DNSUpdateProxyGroup, but the DCs are obviously not using DHCP and the security on their records looks fine. 
  We are set to allow both non-secure and secure updates because we have some access points and some HP ILOs(Integrated Lights-Out clients) that are not on the domain and using dhcp. I know that allowing non-secure updates is a huge risk, but
  trying to get details about the risk. We are also set to "Always dynamically update DNS records" & "Dynamically Update DNS records for clients that do not request updates." Almost all of our servers(the main risks we
  care about) are not using DHCP, except for the ILOs.  We are not using NAP.  Here are the questions.
  1.  DNS Spoofing with Windows computer - If someone brings in a windows computer with the same computername as one of our critical servers(obviously it will be off the domain) can it grab an IP address and update the record of the critical server? - I was
  thinking it would detect the naming conflict.
  2. DNS spoofing with Linux computer -  If someone brings in a Linux computer with the same computername as a critical server, can it grab the IP address for a critical server that has a static address?
  I am trying to find some real world scenarios to get approval to switch to "secure-only" updates  The biggest risk from doing that is that we have trouble finding all the DDNS records. Then some expire and we lose connectivity to those resources
  until we get it fixed.  If anyone can throw some realistic disaster scenarios at me, I would appreciate it.
  Thanks,
  Dan Heim

  Hi,
  If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would
  give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates
  on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain
  controller it has full control over DNS objects stored in the Active Directory.
  For non-windows computers, you can enable name protection.
  For more information please refer to:
  Secure Dynamic Update
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  Configuring Name Protection
  http://technet.microsoft.com/en-us/library/dd759188.aspx
  Hope this helps.

• Dsee 6.3.1 - disable non-secure port

  I disabled access to the non-secure port on my ldapserver as I only want clients to talk to my server using ssl (tls:simple)
  root@ldapserver#/> dsconf set-server-prop ldap-port:disabled
  After the compulsory restart, I was no longer able to bind a client (even if I tell it to connect on port 636) :
  root@ldapclient #/> ldapclient init -v -a profileName=SB -a domainName=unix.mydomain.com -a proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain
  ,dc=com ldapserver.mydomain.com:636
  Parsing profileName=SB
  Parsing proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  Arguments parsed:
  proxyDN: cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  profileName: SB
  defaultServerList: ldapserver.mydomain.com:636
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  __ns_ldap_list return NULL resultp
  findBaseDN: Err exit
  LDAP ERROR (85): Error occurred during receiving results. Timed out.
  Failed to find defaultSearchBase for domain unix.mydomain.com
  I know my certs are good as ldapsearch returns data as I would expect...
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com uid=myuser
  returns my userid.
  There is an anonymous read only ACI in place:
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com -s base "(objectclass=*)" aci
  aci: (target ="ldap:///dc=unix,dc=mydomain,dc=com")(targetattr!="userPassword")(
  version 3.0;acl "Anonymous read-search access";allow (read, search, compare)
  (userdn = "ldap:///anyone");)
  As soon as I re-enable standard 389 access the client init works fine again....
  Am I missing something here?
  Does the `ldapclient init` command need to make a 389 connection first before it downloads the profile which tells it to use tls:simple and therefore port 636 from then onwards?

  quote:
  SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the non-SSL port and then use the Transport Layer Security protocol to initiate an SSL connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
  [http://docs.sun.com/app/docs/doc/820-2765/gdzdc?l=en&a=view]

• Non-secure login for 5.0 ip services

  How do I change to non-secure login on phones for ip services in 5.0?
  Thanks,
  Andy

  This gives you access to all your subscribed services without logging in every time. Keep in mind that anyone can access your information if your login mode is set to non-secure.
  you need to use the SCCP Phone Security Profile in Callmanager 5.0
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a0080645855.html

• I've received an email of an unauthorised access which states it was done in Canada, is there any way I can request Apple to inform me what the IP address that made unauthorised access was?

  I've received an email of an unauthorised access which states it was done in Canada, is there any way I can request Apple to inform me what the IP address that made unauthorised access was?
  I want to know as it possibly relates to other security issues I've had of late and it would help further my investigation. Would a subject access request possibly allow me to recieve this information? As far as I know there's no way to see a list of when and where I sign in using my Apple ID?

  Sorry but no, Apple cannot give you that information. The only way they could give anyone such an IP address would be if they received a court order to do so, if even then; I don't know what sort of tracking and logs they do.
  However, if this email claimed that someone had tried to reset your password and in any way gave you a link to click to confirm your account information, the email was almost certainly a phish. Such phishing messages have been quite common over the last two or three weeks and should be deleted without responding. You may wish to manually type in the URL for Apple's page for managing an Apple ID and change your password, just as a precaution, and make sure you've set good security questions using responses that can't just be looked up for you (they don't have to be real information; you can use any response you wish as long as you can remember what you entered).
  Regards.