Tags: security

Validating file uploads in Sitecore WFFM

Our Sitecore installation was in dire need of a way to lock down file uploads on forms built with the Web Forms for Marketers (WFFM) module; out of the box, it doesn’t do any checking at all, which can lead to some risky situations. I tacked on a simple whitelist attribute to the UploadFile control, and our security engineer can breathe easy. Read More →

Disable SSLv3 to avoid POODLE attack in web.py

An open source application that I contribute to uses web.py to provide a web server platform for its services alongside the other platforms available. I recently updated it to use a sane set of default ciphers and to disable the SSLv3 protocol in order to avoid the POODLE attack the Internet is currently buzzing about. Here’s an abstract example so that you can do this yourself at home. Read More →

LDAP authentication with C#

LDAP, or Lightweight Directory Access Protocol, is a convenient, central repository for a system’s personnel information. LDAP (and other Active Directory services) are widely-used by organizations big and small to consolidate user credentials and identification data. For instance: a reporting services application, a webmail client, and a database administration suite can all read from the same Directory, with no need for replicating user information. John Doe only has to remember one password for all systems. When he changes it, those changes cascade across the board. Read More →

Easy SSL redirection for select folders in nginx

I have many various web applications installed on my server; some of them need to be wrapped in a secure connection, while it is less important (or meaningless) for others. For those applications whose security I am concerned about, I’ve developed an easy way to force nginx to serve the application over an SSL connection. The method involves creating empty foldername.ssl files in a specific location, and then comparing the base folder name of an HTTP request against these file names. If there is a match, the connection is redirected to an https:// URL. Read More →