Can Cookie's Be Set Manually To Bypass Security

Aug 24, 2007

I have put an Access database inside an access_db folder on Godaddy and written some .asp pages that query it. I am trying to make sure that I take necessary precautions against hackers reading or even writing to the database. Maybe someone can give some remarks about whether any of these concerns are realistic, and if so, why and what I could do about it?

1) Could someone somehow navigate directly to the database and read or write to it (the access_db folder seems to have no read/write permissions as set by default by Godaddy, but how secure is that?)

2) I permit entry through use of a a userid and password that are looked up in an mdb in the same folder (not listed in the html itself). If there’s a match, I store the userid as a session cookie. Then, to visit any other pages, each page first checks to see if the cookie is empty before proceeding. Is it possible for someone to set the cookie themselves and thus break through (can a cookie be set manually?) If so, would it help if I mandated that the cookie be set to something specific (right now it just has to be non-blank) or can they find out what the cookie should be set to as well?

View 3 Replies


Cookies Problem In My Vps

Oct 20, 2007

i have problem with cockies

i use vbulletin forum on vps

in my vbulletin forum ,the forum request password every time

from members

ie: we cant Retention cockies

even in admin control panel

i wrote the password for 10 times in 15 min interval

which is bad thing

View 8 Replies View Related

Wampserver5 For Setting Cookies

Jun 19, 2008

i m using wampserver5, i want to use this as my database handling tools.
> if you can help me on how to get this connected to adobecs3 to setup login session, card validation site and so on

View 4 Replies View Related

Apache :: Using SessionMaxAge Without Setting Max-Age In Cookies?

Dec 5, 2013

I am using apache 2.4, mod_auth_form and mod_session with cookie based sessions. I would like my sessions to expire after 15 minutes of inactivity - so I set

SessionMaxAge 900

However, I also need my sessions to expire when the user closes the browser. Unfortunately, the cookie header sent looks like

Set-Cookie: session=Private-user=someUser&Private-pw=thePassword&expiry=1386227882551049;Max-Age=900;path=/;HttpOnly

I have temporarily turned off SessionCryptoPassphrase for debugging.

The problem is the "Max-Age=900". This makes the cookie persistent in the browser, so that even if the browser is closed, the session will still be valid if a new browser session is started within 15 minutes.

Can I avoid the "Max-Age=900"?

Or should I use mod_headers to rewrite the set-cookie header?

View 5 Replies View Related

Server Notice : Kernel: Possible SYN Flooding On Port 110. Sending Cookies

Apr 24, 2008

server notice : kernel: possible SYN flooding on port 110. Sending cookies. and down.

how to disable flood on port 110, flood port 443!
EX : disable telnet on port : 21,445,110,53

how to disable telnet on port 21,445,110, with cmd (telnet ip(host) port)

View 2 Replies View Related

Apache :: Unable To Bypass Mod Auth For Just One URL

Apr 10, 2014

I'm trying to get exception from auth (.htpasswd ) for one specific URL, but seems, that it does not work with my Rewriting rules. Disabling RewriteEngine solving auth problem. My .htaccess:


SetEnv APPLICATION_ENV development

# Rewrite
RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d

[Code] .....

View 1 Replies View Related

Mod_security Functionality Bypass Through .htaccess Issue

May 5, 2007

I accidently found that it could be available to de-activate mod_security in a certain directory by using a .htaccess like that...

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off

I believe it's something related to the "AllowOverride" directive from apache but im not exactly sure, the available arguments for this directive are "AuthConfig, FileInfo, Indexes, Limit, Options", I've tried hardly to find a way to not to disable the usage of .htaccess files and keep it's functionality but also to prevent it from being able to modify through it the functionality of mod_security.

I'm sure Anyone here could help me in this issue as it's a big pain for any server running apache in a shared vhosting environment.

View 13 Replies View Related

Access Folders In Root / Bypass Wordpress

Jul 23, 2009

My blog is set up to display in the root of my domain, although the files on the server sit within their own folder:


Server files


Broswer displays

www . mydomain . com/

(disaplys pages from /wordpressfiles)

The problem I have is that I can't access individual directories within the root, unrelated to wordpress.


I have

Setup on the server, but if I enter the path in my browser:

www . mydomain . com/folder2

wordpress thinks I want to access:

www . mydomain . com/wordpress/folder2

...which doesn't exist.

How can I re-gain access to folders in the root, without wordpress interfering?

View 2 Replies View Related

How To Stop This Attack [Bypass Safe_mode & Openbase Dir]

Feb 6, 2008

Recently, some of our Linux/cPanel servers got hacked (not rooted) by using the following code (method)

symlink ("/home/USER/config.php","/home/USER2/test.txt");

The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !

We tried to :

1- run php as CGI module.
2- run SUPHP module.
3- run php as apache module.
4- enable open_basedir and safe_mode.

But the hacker still can bypass the system!

the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!

as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.

So is there any way to stop the "symlink" perl function?

any way to stop this attack method?

View 14 Replies View Related

Disable/Bypass Suexec Per Vhost Domain

Oct 12, 2007

I am running on;

Plesk versionpsa v8.0.1_build80060613.20 os_CentOS 4.2
Operating systemLinux 2.6.9-023stab033.6-smp
License key numberPLSK.00170782.0006

I need to be able to access cgi between vhost domains. In particular one frequently updated file located 'centrally' in the cgi-bin of one of the vhost domain.

I would like to be able to have other vhost domains be able to access this file but suexec won't let that happen. I have searched around and tried to following;

Created vhost.conf file in the conf directory of one of the domains.

The vhost.conf file contained (with no #):

# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>

I ran;

/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain name>

Then reboot.

The result was all the vhosts stopped working. I reset the websvrmng, things returned to normal.

Then I tried updating the httpd.include file adding (with no #);

# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>

Then reboot.

The result was the same, all vhosts stopped working.

Does anyone have an idea how I can achieve this? I know I can disable suexec all together but that wreaked a little havoc with the cgi app when I tried that.

View 2 Replies View Related

Apache :: Bypass Client Cert Requirement For Localhost?

Feb 20, 2013

I just setup an intranet wiki running apache2.2 on ubuntu 12.04. The server currently requires two-way certificate authentication (i.e. a server cert AND client certs).In <VirtualHost *:80>, Redirect permanent / https://<intranetSite>

Everything works dandy, except now that I'd like to find a way to bypass the client cert check for localhost so that I can run some maintenance scripts via cron on the server. Or perhaps it's possible to bypass SSL entirely, just for localhost?

View 2 Replies View Related

Manually Enabling SpamAssassin

Mar 2, 2008

I have a dedicated server. It is a Fedora Core 6. It came with "Plesk 30 domain license". However, this license of Plesk doesn't have SpamAssassin enabled. In order to get the license with SpamAssassin, it costs an extra $30 a month.

I believe SpamAssassin by default is in fact installed on the sever, but some of my users are reporting that they are getting Spam. How can I check is SpamAssassin is running? How do I configure SpamAssassin to filter spam on all the e-mail addresses that are created in Plesk?

I have SSH access to the server.

View 3 Replies View Related

Installing CentOS Manually

Jul 8, 2008

how to install CentOS by not using the installer. This guide should be great when installing over networks, don't have a graphical console available (for installing over serial), when you're not content with the installer's job, installing CentOS from another distro, or plainly want to learn more about how CentOS works.

* Have a host OS that has the "rpm" package manager available. Some distributions have it in their repositories (even if the package manager for the distro itself is not rpm), and knoppix (a linux live/rescue CD) has it aboard too. You can use the first CentOS ISO CD too (use linux rescue at boot), and it has all the necessairy packages aboard
* Access to the CentOS base repository. It's on the first CentOS ISO CD
* Use your BRAIN. This guide is ment to be interpreted, not copy/pasted

# First, setup your disks to your liking. You can use whatever you want here,
# RAID, LVM, etc... Remember your disk configuration because you'll need it
# to configure grub, menu.lst and fstab. Using RAID, LVM, or others will require
# more configuration than this guide covers. To keep it simple I'm using a
# single disk. An example:

$ fdisk /dev/sda
$ mount /dev/sda3 /target
$ mkdir /target/boot
$ mount /dev/sda1 /target/boot

# Depending on the host OS you're using, you may need to initialize the rpm db
# on the host OS
$ rpm --initdb

# Use the following command to install the packages. I'll be addressing this
# command as $rpm.

$ rpm --root /target -i

# Use your shell's tab completion to complete the package filenames. I
# deliberatly left out the versions so these instructions apply to a wide range
# of versions

# Let's install some basics
$rpm setup basesystem filesystem

# Install bash first, this is needed for post-install scripts
$rpm bash glibc glibc-common termcap libgcc tzdata mktemp libtermcap

# Install some dependencies (this is mainly to keep the next command smaller)
$rpm grep pcre libstdc++ info ncurses zlib gawk sed ethtool

# Install the bulk of the system
$rpm coreutils libselinux libacl libattr pam audit-libs cracklib-dicts
cracklib libsepol mcstrans libcap chkconfig python db4 openssl readline
bzip2-libs gdbm findutils krb5-libs initscripts util-linux popt udev MAKEDEV
centos-release shadow-utils keyutils-libs iproute sysfsutils SysVinit
net-tools module-init-tools e2fsprogs e2fsprogs-libs glib2 mingetty
device-mapper sysklogd psmisc centos-release-notes procps libsysfs iputils

# Install package manager
$rpm rpm beecrypt elfutils-libelf rpm-libs sqlite

# Install YUM
$rpm yum python-elementtree rpm-python yum-metadata-parser python-sqlite
expat libxml2 python-urlgrabber m2crypto python-iniparse

# You may also want to install your favorite editor
$rpm nano

# This provides /root with some defaults, like color highlighting on `ls`
$rpm rootfiles

# Right now you have system which you can chroot to, so we can start setting up
# the basics

# Mount directories for chroot operation
$ mount --bind /dev /target/dev
$ mount -t proc none /target/proc
$ mount -t sysfs none /target/sysfs
$ chroot /target

# This constructs /etc/shadow
$ pwconv

# Configure fstab
$ nano -w /etc/fstab

# Installing the kernel. Do this back outside the chroot in the host OS system
$ exit
$rpm kernel mkinitrd cpio device-mapper-multipath dmraid gzip kpartx lvm2 nash
tar less device-mapper-event

# Install the bootloader, grub.
$rpm grub diffutils redhat-logos

# Let's chroot again to configure our bootloader
$ chroot /target

# We start by configuring the bootloader. Open /boot/grub/menu.lst, and put the
# following there

timeout 5
default 0

# (0) CentOS
title CentOS
root (hd0,0)
kernel /vmlinuz-2.6.18-92.el5 root=/dev/sda3 ro
initrd /initrd-2.6.18-92.el5.img

# If this command gives an error, you can safely ignore this because it's not
# of importance. What is important is that grub-install copied the right files
# to /boot/grub that we need for booting.
$ /sbin/grub-install /dev/sda

# Manually install grub if the previous step failed. - means type it in the grub
# shell
$ grub
$- root (hd0,0)
$- setup (hd0)

# Optional packages
# You may want to install passwd so you can set passwords ;-)
$rpm passwd libuser openldap cyrus-sasl-lib

# These are used to set the keyboard language (loadkeys)
$rpm kbd usermode

# ** Right now you should have a bootable system! Here are some tips to help you
# through your 1st boot ***

# Most of the system configuration happens in /etc/sysconfig. See


for full documentation.

Some quick post-install tips:
* Configure your keyboard in
using the KEYTABLE variable

* Configure networking
Take a look at /etc/sysconfig/network-scripts. See ifcfg-lo for an example.

# This recreates the RPM database. If the host OS you used has a different
# version of db, rpm will complain with
# rpmdb: unable to lock mutex: Invalid argument
$ rpmdb --rebuilddb

View 2 Replies View Related

How To Setup An Account Manually

Jan 27, 2007

I do not have control panel, I have suse OS, how do I setup an account manually so I can move my site to this new server?

View 2 Replies View Related

Manually Force DNS Change

Jul 24, 2007

we're using a subdomain to point to one of our server's IP. (gaming purposes).

And people use this subdomain to connect to the game server.
However, We are going to move to a new server soon with a different IP.

I know, only thing I have to do is change the IP of the subdomain to point to the new server, however I know this will take like 1 to 48 hours to fully work.

Is there a way to force people who's still connecting to the OLD Ip to go to the new IP?

View 6 Replies View Related

Mod_Evasive - Blocking IPs Manually

Oct 26, 2007

Is there a way to block ips with mod_evasive by adding the ips to the mod_evasive configuration file?

View 3 Replies View Related

CPanel's EasyApache 3 - Are You Using It? (Or Still Doing Things Manually?)

Feb 17, 2008

How many of you cpanel folks are using the new cpanel 11 "EasyApache 3" to manage apache/php on your servers? (Instead of doing things manually?)

We have always managed our apache and php configs manually, because cpanel was "under-powered" for the task.

However, with this new EasyApache 3 that is included with cpanel 11, it seems cpanel might finally have figured things out.

How many of you have switched over from doing things yourself manually to using EasyApache to manage your PHP config?

View 5 Replies View Related

Manually Create CPanel Subdomains With SSH

Oct 24, 2007

Does anyone know how to make sub domains through SSH?

View 4 Replies View Related

Compile Apache With Phpsuexec Manually

Feb 1, 2007

Does anyone know the step by step procedure for compiling apache with phpsuexec enabled and making apache recognize php on a non-cpanel server?

View 0 Replies View Related

Plesk 11.x / Linux :: Upgrade Roundcube Manually?

Nov 17, 2014

I noticed, that my Plesk install still runs an older Roundcube Installation (somewhere in the 0.9 range) and RoundCube 1.0.3 is currently the latest version available at [URL]

Is it safe to upgrade the Roundcube Installation in psa-roundcube manually from 0.9 to 1.0.x?

View 2 Replies View Related

Plesk: Remove Domain Name Server (DNS) Record Manually

Jul 10, 2008

somehow plesk is not listing a domain record I added recently, that I have to remove. so, I can't select it and delete it through the interface.

is there a way to remove a dns record manually, perhaps from the command line?

View 3 Replies View Related

Call Script That Deletes Logs After Stats Run Manually

Jan 15, 2008

I'm trying to create a script to archive logs for 7 days but still delete them from the domlogs daily. Has someone already done this? The ideal solution would be to modify the CPanel script that deletes them after stats run but I'm not sure if thats protected code by CPanel. The other option would be to disable the delete logs after stats run option and to create a script to copy the logs somewhere else via cron and call the script that CPanel uses to delete the logs without restarting apache. This script would also move the files through directories and eventually delete them, therfore preserving the logs for 7 days. Any ideas?

I have created an untested script which should do this but I just need to know how CPanel deletes the logs without restarting apache.


mkdir /domlogbackup/
mkdir /domlogbackup/1/
mkdir /domlogbackup/2/
mkdir /domlogbackup/3/
mkdir /domlogbackup/4/
mkdir /domlogbackup/5/
mkdir /domlogbackup/6/
mkdir /domlogbackup/7/
mkdir /domlogbackup/8/
sleep 1

rm -rf /domlogbackup/8/*
sleep 5
mv /domlogbackup/7/* /domlogbackup/8/
mv /domlogbackup/6/* /domlogbackup/7/
mv /domlogbackup/5/* /domlogbackup/6/
mv /domlogbackup/4/* /domlogbackup/5/
mv /domlogbackup/3/* /domlogbackup/4/
mv /domlogbackup/2/* /domlogbackup/3/
mv /domlogbackup/1/* /domlogbackup/2/
sleep 5
cp /usr/local/apache/domlogs/* /domlogbackup/1/
sleep 0.1

# rotate domlogs
sleep 10

gzip /domlogbackup/1/*

View 2 Replies View Related

Copyrights 2005-15, All rights reserved