Date: 12/27/05 (C Sharp)    Keywords: security, microsoft

This is a long post about one problem I have with Microsoft Report Viewer reports for .NET 2.0. Please don't skip it :)

ok, I have a simple windows form with report viewer control placed on it. The datasource for my reports is an object described in a class. Most of the fields are pretty simple like:

public string ObjectOperationType
  {
   get
   {
    return ent.Offer.OfferType.ToString();
   }
  }

where "ent" is a business object the application uses.

Some fields, though, are bit more complex and return List<> of things, like:

public List ObjectCloseLocations()
  {
   List items = new List();
   foreach (DirectoryEntry de in ent.Attributes[31].AvailableItemsList)
   {
    if (((ListDirectoryEntries)ent.Attributes[31]).Contains(de))
    {
     items.Add(new CloseLocations(de.Term, true));
    }
    else
    {
     items.Add(new CloseLocations(de.Term, false));
    }
   }
   return items;
  }

The CloseLocations type is a class with two public fields (Key and Value) that are filled by my method and then passed into the report as a list and the report will show the list in a table quite happily.

It all works fine, as long as you don't have to include the ListsTypes() on your reports.

Originally, the code to get the proper BindingSource running looked like this:

ViewObject MyData = new ViewObject(vid, HidePD);
   this.ViewObjectBindingSource.DataSource = MyData;
   this.comfortAndSecurityBindingSource.DataSource = MyData.ObjectComfortAndSecurity();
   this.closeLocationsBindingSource.DataSource = MyData.ObjectCloseLocations();
   this.propPhotoBindingSource.DataSource = MyData.PropertyImages();
   reportViewer1.RefreshReport();

Now, when I pass List to my primary BindingSource, the other binding sources have to be List<> or List types.

I tried this:

List myData = new List();
... fill the list...
List> comfort = new List>();
foreach(ViewObject vo in mydata)
{
comfort.Add(vo.Comfort());
}
this.comfortAndSecurityBindingSource.DataSource = comfort();

the problem now is that the comfort List<> is not "bount" to it's parent object that shall be getting data from it. How can I fix this?

Has anyone dealed with this?

Source: http://www.livejournal.com/community/csharp/44980.html

Date: 12/29/05 (PHP Community)    Keywords: php, html, security, web, linux, apache

Greetings all, new reader on the community here.

I'm one of the co-administrators of a small private co-op site, and we recently had our webserver hacked. :( We're still trying to figure out why, but there is some suspicion that PHP vulnerabilities might have been the vector of attack. As a result I am planning to upgrade to the latest and greatest version of PHP, but before we go live again with that, I want to review the PHP that runs on a few sites we host and make sure that I've taken care of as many holes as reasonably possible.

We run Debian Linux, and I've just upgraded us to Apache 2.0 as well. (We plan to upgrade to 2.2 as soon as we have a Debian package for that.) And I plan to put PHP 5.0.5 up off of backports.org.

The questions I would like to pose to the community are:

1) Since PHP 5.1.1 is not available in package form yet, are there any known big problems with 5.0 that might make it necessary for me to build 5.1.1 by hand?

2) I've been reading up in the Security chapter of the docs on php.net, as well as the SecurePHP wiki, and have come up with a list of things I know I'd like to look at. Can anyone recommend things besides these items that I ought to look at?

- Use .htaccess to control who gets to look at source code
- Take sensitive data, e.g., passwords, out of public web space
- Verify that register_globals is OFF
- Validate all user data
- Initialize variables
- Turn off magic quotes
- Use addslashes and stripslashes as needed
- Set expose_php = off in php.ini
- Log errors out to files not in public space rather than displaying them on the page
- Use $_POST, $_GET, $_COOKIE, and $_SESSION for global variables
- Use htmlspecialchars() for hidden form values
- For URL stuff, use both htmlspecialchars() AND urlencode(); the latter should be for specific variables in the URL, and the former for the entire URL

Thank you very much in advance for any pointers!

Source: http://www.livejournal.com/community/php/384514.html

Date: 12/31/05 (Java Web)    Keywords: browser, security

Users reported experiencing odd browser behavior after installing the most recent security update which has been identified as being caused by a registry key. Problem: Some reported opening a browser window that promptly hangs IE, others have reported opening links that render blank. There are also reports of multiple windows opening when initiating a browser session. When: This [...]

Source: http://blog.taragana.com/index.php/archive/how-to-fix-strange-problems-with-internet-explorer-december-security-update/

Date: 01/03/06 (C Sharp)    Keywords: html, asp, security, web

Heya all, I'm working on a web-based application (using ASP.NET and C# on .NET 1.1.4322, supporting only IE6 for Windows) that allows for file uploads. It seems to be a universally agreed that the file upload control is as ugly as they come, so I want to set its style to "display: none;" and interact only with the standard file upload dialog (which can be summoned by firing the click() method of the control, which is exposed under IE6 but not recent versions of Mozilla).

Attempting programmatic access of a file upload control is generally playing with fire, and this time is apparently no exception. Once I call the click() method, it seems, the page is no longer able to post back. When I attempt to submit the form, the value of the file upload control is cleared and the page just sits there. However, if I make the file upload control visible and manually click its "Browse..." button, the page posts back correctly.

For those of you familiar with Gmail's attachment upload interface, this is very close to the effect I am trying to achieve, but something about ASP.NET is apparently interfering (perhaps for my own protection) with the process. Has anybody experienced similar behavior under the same platform, and if so, explain the behavior or point to a KB article or security documentation that might be enlightening ? Thanks greatly for your time. Toy code can be found after the cut.



Codeahead:

<%@ Page language="c#" Codebehind="Foo.aspx.cs" AutoEventWireup="false" Inherits="FooApp.Foo" %>

















 




Postback info:
 

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

namespace FooApp
{
	public class Foo : System.Web.UI.Page
	{
		protected HtmlInputFile f;
		protected HtmlGenericControl s;

		private void Page_Load(object sender, System.EventArgs e)
		{
			if (this.IsPostBack)
			{
				s.InnerText = String.Format("{0} file(s) posted", Request.Files.Count);
				if (1 == Request.Files.Count) { s.InnerText += String.Format(", content length: {0}", Request.Files[0].ContentLength); }
			}
		}

		override protected void OnInit(EventArgs e)
		{
			InitializeComponent();
			base.OnInit(e);
		}
	
		private void InitializeComponent()
		{    
			this.Load += new System.EventHandler(this.Page_Load);
		}
	}
}

Source: http://www.livejournal.com/community/csharp/45787.html

Date: 01/03/06 (Security)    Keywords: security

Computer tapes containing bank details, Social Security numbers of Marriott Vacation Club clients have gone missing.

Source: http://news.zdnet.com/2100-1009_22-6015768.html

Date: 01/04/06 (Security)    Keywords: security

Security giant continues acquisition spree and can now offer protection for IM systems.

Source: http://news.zdnet.com/2100-1009_22-6016780.html

Date: 01/04/06 (Security)    Keywords: security

Company inadvertently prints Social Security numbers on promotional mailings, but says security risk is low.

Source: http://news.zdnet.com/2100-1009_22-6016720.html

Date: 01/04/06 (Security)    Keywords: security, microsoft

In absence of a fix from Microsoft, security experts advise companies to use unauthorized patch for latest WMF flaw.

Source: http://news.zdnet.com/2100-1009_22-6016649.html

Date: 01/05/06 (Computer Help)    Keywords: software, security, virus, microsoft

(xposted to computersupport in hopes of getting all these problems solved!)

I just got my computer back online, and I've run into a few troubles in the last 6 months of no internet.

first off. I got a digital camera, installed the software, then installed photoshop. When I hook up my camera, the computer recognizes it and opens my photoshop, uploading my pictures. So is the Kodak Easyshare software even necessary? if I took it off, will my computer still recognize my camera? The software is little more than a nuesence right now.

also, the kodak software somehow messed with my thumbnail-to-full-size option when clicking on a picture in my files. it used to be the picture would take up the majority of the screen, and I could still do the whole next/previous options. This is what my computer was like when I bought it... but now when I click on a thumbnail of a picture, the whole thing takes up my screen except for 2 blue buttons saying "add to collection" or "done." How do I change this back to the original state?

Now for virus protection... I had Norton Internet Security 2004, and it expired. my computer prompted me to buy online a new subscription, but instead I went out and bought the same disc of 2005, thinking I could just enter the new product key. I even tried uninstalling the whole thing, then re-installing it with the new product key. no such luck. my computer still recognizes this as an expired 2004 virus protection and gives me popups every 20 seconds telling me to buy a new subscription online. Their tech support charges per minute so I was hoping to find help on here.

It still sends me warnings when my computer tries to access the internet though. So while using Music Match Jukebox's option to find track tags online, my computer asked if it was okay to allow "MIM" to access the internet... I didn't know Music Match Jukebox would be called MIM so I said Block, and now I can't figure out how to allow it to connect! (I'm a total software illiterate) any ideas?

I'm still having a problem of my computer telling me that it can't find "mkbdata.dat" at startup. I think it's a mouse software, but I can't figure out how to delete it, or what the old mouse would be called on my computer. I had this problem months ago but never solved it.

I need a software that allows me to edit audio and video tracks. like for songs on CD's that have 20 minutes of silence before playing a hidden track. it's taking up WAY too much room on my computer. anything free available?

now my last two problems (for now.) I deleted some annoying mail thing that was on my computer when I got it, because I never used the program. but now when I click on an "email me" link on people's pages, it tells me "could not complete because you do not have a default mail client set up." PLEASE help me re-download whatever I deleted or help me find a new program that even I could understand. And lastly, I REALLY miss Microsoft Works... like Wordpad but with more options of what you can do with the page. Anyone know where I can download this for free?

Source: http://www.livejournal.com/community/computer_help/560509.html

Date: 01/06/06 (Computer Help)    Keywords: html, security, ebay

I run: windows 98 SE, IE 6.0

For some reason, just today, when I log into sites, I can't STAY logged in, and I get annoying security certifcate prompts everytime I go to ebay and gmail ..

I can't access the 'standard' view of gmail, and the 'html' version of gmail wont let me delete messages.

I looked in my internet options >> advanced tab, and 'warn about invalid site certifates' is UNCHECKED, (I never had it checked in the first place, nor did I change any security settings to make it this way, so I have no idea what is going on.)

I cleared ALL cookies, my cache, my temp internet files, ran hijackthis, and spybot, and nothing showed any problems or fixed anything.

wtf is going on?

thanks alot for your help.

Source: http://www.livejournal.com/community/computer_help/561595.html

Date: 01/09/06 (Security)    Keywords: security

Security company says ISPs should warn customers with infected PCs so they can disinfect the machines.

Source: http://news.zdnet.com/2100-1009_22-6024727.html

Date: 01/09/06 (PHP Community)    Keywords: cms, php, html, database, security, web

Hey all,

I know there's been a couple posts about this recently, so if I'm asking redundant questions, sorry.

A friend of mine has come up with a pretty novel idea for a MySpace-ish site, but for a specific niche market (kind of like those CatSpace and DogSpaces that exist) - users will have profiles, photos, a blog, message boards, send friend requests, yadda yadda yadda, you've seen it all before. I'm going to be developing the initial setup myself (since we have no money), and this is a somewhat long term project that I'll be picking at casually for a little while.

Right now I'm trying to figure out if I should give this a go coding from scratch, or use an existing CMS type solution (like Mambo, Joomla, Drupal, etc). I'd really like to code it myself, as I think it could be a fun project to work on. I'm a pretty solid PHP programmer, but as I have a feeling that this idea could jump in popularity pretty quick, I really want to make sure I keep this thing as efficient as possible for a large user base. For instance, I don't want to go making another MySpace which I think runs horribly as a web app compared to even LiveJournal.

Currently I use PEAR's DB_DataObject or my database interactions and I've just gotten into Smarty for templating, though I'm sure I'm not using either to their fullest potential. I saw mention of a couple of development environments and frameworks in someone's recent post looking for a visual studio-esque PHP environment - http://www.livejournal.com/community/php/388602.html but I've never used any of these.

I'm not really concerned here with using a "rapid development" framework - I don't mind coding, I like it - but what I'm really concerned with is stability, efficiency and security - I know of course that these also rely heavily on how well I code, and using a good coding environment or framework won't do the coding for me, but there have to be some tools/frameworks/etc out there that pros are using that I just haven't moved onto yet, and I wanted to see what you guys (and gals) are using on some of your bigger projects.


- I know this comes up a bunch, but does anyone else think would it be handy at all for us as a community to maybe organize some of the more useful threads and frequently asked (and answered) questions in the php community at a separate location? Doing just a search on the community doesn't necessarily give you anything about the quality of the responses, and it may even be nice to be able to 'browse' solutions/posts by categories or something; maybe we could have some sort of quality ranking on posts, or some way to identify posts that contain questions that get asked all the time. I don't think this would be too tricky to put together, and I'd be willing to work on it, but I don't know if anyone would even use it?

Source: http://www.livejournal.com/community/php/392457.html

Date: 01/10/06 (Security)    Keywords: security

Two "critical" security bugs in Windows, Outlook and Exchange could allow an attacker to hijack vulnerable PCs, company says.

Source: http://news.zdnet.com/2100-1009_22-6025413.html

Date: 01/10/06 (Security)    Keywords: security

Gene Hodges, who worked at McAfee since 1995, resigns to take posts of CEO, president at rival security company.

Source: http://news.zdnet.com/2100-1009_22-6025122.html

Date: 01/11/06 (Security)    Keywords: security

Several security flaws in Apple Computer's media player could put computers running Windows and Mac OS X at risk of hijack.

Source: http://news.zdnet.com/2100-1009_22-6025626.html

Date: 01/11/06 (Security)    Keywords: software, security

The government department is giving millions of dollars to a project that will comb open-source software for security bugs.

Source: http://news.zdnet.com/2100-1009_22-6025579.html

Date: 01/11/06 (Mozilla)    Keywords: java, security, web

After switching to FF 1.5, iam facing these annoying problems.

1) Most times when i load web pages, most placeholders like image links, thumbs, even smaller icons etc simply dont load. All are blank. Reloading doesnt really help much, still many places are blank. Its a big annoyance seeing blank even after successive reloads.
when only the image resource is loaded, that single thing loads perfectly.
bloody flash objects, adds all load, images,thumbnails dont.

2) Not a big annoyance, still some pages fail giving the error message,
'unable load could not connect'.. when i reload it problem is solved. Its annoyance at times to keep reloading.

Regard to first problem, I use a laptop, in it all pages load perfectly with IE. Also both IE,FF work perfect in a desktop(same connection). So it should not be a problem with the connection.

Also i tried in another user, another profile, a completely new profile all these with no extensions, the same problem persists there also. So its not because of extensions either.

info : options->contents-> all image settings are correct with no filters. javascript, java enabled.

I run windows XP (with all latest security).

Can anybody help.. its big big nuisance.

Thanks in advance

cross posted to firefoxusers

Source: http://www.livejournal.com/community/mozilla/347293.html

Date: 01/11/06 (Security)    Keywords: software, security

Q&A Check Point Software Technologies CEO Gil Shwed takes a hard look at the changing face of cybersecurity.

Source: http://news.zdnet.com/2100-1009_22-6025784.html

Date: 01/13/06 (Security)    Keywords: security

Recent security update to Apple's popular media player is causing system problems, some Mac OS X and Windows users complain.

Source: http://news.zdnet.com/2100-1009_22-6026745.html

Date: 01/13/06 (Computer Geeks)    Keywords: asp, security, ebay

So here is the deal. I was selling this laptop on ebay. Retails about $850. So I get an email in ebay from this guy say he needs it right away and it for his son, blah blah blah. I will pay you $4,000 if you can ship it to me right away and if we can do the transaction through western union. So here is the emails. Just be careful, I am very security minded and almost fell for it. If it wasn't for my distrust in most things, I wouldn't of call western union and found out it was fake.


From: "ade taiwo" | Block Address | Add to Contacts

To: lordsaibat

Date: 11 Jan 2006, 05:55:09 AM
Subject: Congratulations Your Payment Is In Progress !!!


--------------------------------------------------------------------------------

Dear Seller,

This is to inform you that your payment has been made and is currently under
processing, I am very sure you are in receipt of the notification of my payment
from Western Union.

Anyway, I want the package to be shipped out as soon as you received the
approval of your money order from Western Union so that my Son can be able
meet up with the need for this package .

Kindly get back to me with the shipment tracking number immediately you
shipped my package.

I WANT THIS PACKAGE TO BE SHIPPED AS SOON AS THE PAYMENT APPROVED FROM Western
Union AND SHIPPED IT THROUGH Global Express mail 3-5days USPS POST ONLY PLS.

I will be looking forward to hearing from you soonest because the Package is
urgently needed.

Regards,
Ade

--
_______________________________________________
Get your free email from http://fastermail.com


From: "Western Union Transfer" | Block Address | Add to Contacts

To: lordsaibat@gawab.com

Date: 11 Jan 2006, 05:54:36 AM
Subject: MONEY ORDER PENDING (7650980937)***DO NOT REPLY***


--------------------------------------------------------------------------------

==========================================================================================================
==========================================================================================================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
==========================================================================================================
==========================================================================================================
*AUCTION PAYMENT NOTIFICATION*

Western Union ® Order Number: 7650980937

Dear Tobias Mccurry,

This is to notify you that Western Union® Accounts Payments has
received an order placed by Mr.Ade Tawio, of your auction item to
have a Western Union® branded Money OrderSM sent to you as
payment for the auction item. The order is currently being processed.

The details of the transaction are stated below:
----------------------------------------------------------------------------------------------------
*AUCTION DETAILS*
AUCTION SITE : Ebay Inc.
AUCTION ITEM : HP PAVILION Laptop
----------------------------------------------------------------------------------------------------
*FINANCIAL DETAILS*
----------------------------------------
AUCTION AMOUNT : $ 3,800.00
SHIPPING AMOUNT : $ 200.00
----------------------------------------
TOTAL : $ 4,000.00
----------------------------------------
Once the order is processed successfully, you will receive another
email from Western Union ® informing you that the money order has been
approved.The Money OrderSM will be delivered to the address below,
Please verify that the name and address (As entered by the buyer)are
correct:
-------------------------------------------------------------------------------------------------------
NAME : Tobias Mccurry
ADDRESS : 7101 C Mcnickle
CITY : TAFB
STATE : Ok
POST CODE : 73145
COUNTRY : USA
EMAIL : lordsaibat@gawab.com
-------------------------------------------------------------------------------------------------------
Seller Should Not ship until you recieve another email
informing you that your money order has been APPROVED, also seller
must ship the item upon receipt of the confirmation email that your
money order has been APPROVED in other not to delay your money
order from being shipped to the designated address provided by the
buyer.

Seller must ship the item to the buyer when the money order has been
approved and send the tracking number to our agent email
address:(helpdesks@consultant.com) DO NOT forget to include
Order number,your full name and address.
--------------------------------------------------------------------------------------------------------
PLEASE NOTE: This is only a notification informing you that the
buyer Has made payment to Western Union®, The payment is currently being
processed and is regarded as PENDING as it is still subject to APPROVAL
after being successfully processed.Western Union® hereby advises
you NOT to ship the item until you have received another message from
Western Union® stating that, the order has been APPROVED.Please
exercise some patience as the process usually approved within 1 to 24 hours.
--------------------------------------------------------------------------------------------------------
Thank you for using Western Union® Accounts Payments. We look
forward to serving your online auction payment needs better in the
future.

Western Union Team,
Accounts Payments.

=============================================================================================================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
=============================================================================================================


From: "Western Union Transfer" | Block Address | Add to Contacts

To: lordsaibat@gawab.com

Date: 11 Jan 2006, 01:09:31 PM
Subject: MONEY ORDER HAS BEEN APPROVED***(7650980937)***DO NOT REPLY


--------------------------------------------------------------------------------

==========================================================================================================
==========================================================================================================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
==========================================================================================================
==========================================================================================================
*AUCTION PAYMENT NOTIFICATION*

Western Union® Order Number: 7650980937


Dear Tobias Mccurry,


Congratulations! The order placed by Mr.Ade Tawio, of your auction
item to have a Western Union Accounts® branded Money OrderSM
sent to you as payment for the item has been successfully processed
and has consequently been APPROVED. The financial details of the
transaction are stated below:
---------------------------------------------------------------------------------------
*FINANCIAL DETAILS*
----------------------------------------
AUCTION AMOUNT : $ 3,800.00
SHIPPING AMOUNT : $ 200.00
----------------------------------------
TOTAL : $ 4,000.00
----------------------------------------
--------------------------------------------------------------------
***PLEASE NOTE***
The Money OrderSM will be delivered to the address below, Please verify
if the name and address (As entered by the buyer)are correct:
-----------------------------------------------------------------------------------------------------------------------------
NAME : Tobias Mccurry
ADDRESS : 7101 C Mcnickle
CITY : TAFB
STATE : Ok
POST CODE : 73145
COUNTRY : USA
EMAIL : lordsaibat@gawab.com
-----------------------------------------------------------------------------------------------------------------------------
***ATTENTION**
The order has been APPROVED, you CAN NOW ship the Item to the buyer
shipping address. You are expected to make the shipment within 48 hours
of receiving this Payment Approval Notification.
This is the buyer shipping information:
-----------------------------------------------------------------------------------------------------------------------------
Name : Mr. Ade Tawio
Address : 40 queen cinema street
City : IBADAN
State : OYO STATE
Zip : 20001
Country : NIGERIA
-----------------------------------------------------------------------------------------------------------------------------
If the buyer has requested that the item be sent to any address other
than the one provided above, please ship the item OUT and notify us
immediately. Go to http://www.Westernunion.com
Be sure to include the Western Union Accounts Payments order number and the
change of address the buyer has requested. Also, include the change of
address as the subject of your mail.
-----------------------------------------------------------------------------------------------------------------------------
***PLEASE NOTE***
The Money OrderSM will NOT be dispatched until shipment has been
verified. This measure is taken in order to protect both seller and
buyer interests and to reduce the occurrence of fraudulent activities.
-----------------------------------------------------------------------------------------------------------------------------
*SHIPMENT VERIFICATION*
You can have the shipment confirmed/verified in any of the following
ways:

1. Shipment should be made to the buyer and the TRACKING NUMBER of the
shipment should be sent to our agent email address :
helpdesks@consultant.com
Once the verification of shipment is confirmed, you will be notified
and your money order will be shipped out to your designated address
immediately.

2. Your money order will be delayed until you send the SHIPMENT
TRACKING NUMBER of the item been shipped to our agent as a Confirmation.

3. Your money order will be shipped out immediately you send the
shipment notification to our agent.
PLEASE ON NO ACCOUNT MUST YOU ALLOW THE BUYER GAIN ACCESS TO THIS MAIL.

Thanks for using Western Union. Looking forward to serve your
future Online needs.

Western Union Team,
Accounts Payments.

=============================================================================================================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
=============================================================================================================

Source: http://www.livejournal.com/community/computergeeks/859697.html