Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Ask For Help / Re: How do I stop some users continuing using the server app until further notice ?
« on: February 19, 2016, 06:08:26 AM »
I am also interested of that problem, so I am waiting for any news of that topic.
Regards,
Matthew
Regards,
Matthew
2
Web Server - Ask For Help / Request for the latest version of Redactor
« on: June 01, 2015, 02:18:29 AM »
Hello Bruce.
Could You update redactor's script to the latest version in the next build of NetTalk?
Regards,
Matthew
Could You update redactor's script to the latest version in the next build of NetTalk?
Regards,
Matthew
3
Web Server - Ask For Help / Re: Question about security
« on: May 07, 2015, 12:35:20 AM »
Thank You Bruce.
Ad 2.)
I tried to manipulate the cipher list but with no result. I try the following lists in "NetTalk Object Before Init Section":
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ECDHE:ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT'
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:@STRENGTH'
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:ECDHE:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:@STRENGTH'
Unfortunately it doesn't work.
I tested my site on: https://www.ssllabs.com/ssltest/index.html
In my website:
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
In other HTTPS website:
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
So I don't know how to set for example:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
Regards,
Matthew
Ad 2.)
I tried to manipulate the cipher list but with no result. I try the following lists in "NetTalk Object Before Init Section":
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ECDHE:ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT'
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:@STRENGTH'
ServerHTTPS.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:ECDHE:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT:@STRENGTH'
Unfortunately it doesn't work.
I tested my site on: https://www.ssllabs.com/ssltest/index.html
In my website:
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
In other HTTPS website:
Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits (p: 128, g: 1, Ys: 128) FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
So I don't know how to set for example:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128
Regards,
Matthew
4
Web Server - Ask For Help / Re: Question about security
« on: April 19, 2015, 10:11:52 PM »
Thank You for response.
Yes, I am using latest version of NetTalk.
OpenSSL version which I use: 1.0.1.L
What about problem 3: No Security flag in session ID?
Regards,
Matthew
Yes, I am using latest version of NetTalk.
OpenSSL version which I use: 1.0.1.L
What about problem 3: No Security flag in session ID?
Regards,
Matthew
5
Web Server - Ask For Help / Question about security
« on: April 16, 2015, 02:22:07 AM »
Hello Bruce.
I recently had security audit which says about some problems.
1. Secure Client-Initiated Renegotiation is supported. (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks)
2. No support for "Forward Secrecy". (https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy)
3. No Security flag in session ID.
So how to disable Secure Client-Initiated Renegotiation and enable support for "Forward Secrecy"?
What about Security flag in session ID? I don't know what it mean. Could You add this flag or maybe I could?
Also could You updated OpenSSL libraries to latest version (1.0.2a I think)?
Regards,
Matthew
I recently had security audit which says about some problems.
1. Secure Client-Initiated Renegotiation is supported. (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks)
2. No support for "Forward Secrecy". (https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy)
3. No Security flag in session ID.
So how to disable Secure Client-Initiated Renegotiation and enable support for "Forward Secrecy"?
What about Security flag in session ID? I don't know what it mean. Could You add this flag or maybe I could?
Also could You updated OpenSSL libraries to latest version (1.0.2a I think)?
Regards,
Matthew
6
Web Server - Ask For Help / Redactor v. 10
« on: November 17, 2014, 06:21:11 AM »
Hello Bruce.
Could You include new version of Redactor (version 10) in next release NetTalk (or in near future)?
There are new functions and settings which are very usefull.
Regards,
Matthew
Could You include new version of Redactor (version 10) in next release NetTalk (or in near future)?
There are new functions and settings which are very usefull.
Regards,
Matthew
7
FTP - Ask For Help / DirListingQ.Time = 0 when FTP file time is higher than system time
« on: November 07, 2014, 05:17:52 AM »
Hello.
There is propably some bug (I think) in getting the time of FTP file.
Example (using FTP Template from NetTalk's examples):
1. I changed (for testing) the time of file (for example in TotalCommander) to higher than my system time: 20:42:56 - modified time (see example in PNG - in polish)
2. I put this file on FTP
3. I get this file using FTP Template example app where I have message(DirListingQ.Time) at for example 13:47:21 - the time when I clicked Get file in app
4. Result: time of file is equale to 0 (DirListingQ.Time = 0)
Why is that?
Regards,
matthew
[attachment deleted by admin]
There is propably some bug (I think) in getting the time of FTP file.
Example (using FTP Template from NetTalk's examples):
1. I changed (for testing) the time of file (for example in TotalCommander) to higher than my system time: 20:42:56 - modified time (see example in PNG - in polish)
2. I put this file on FTP
3. I get this file using FTP Template example app where I have message(DirListingQ.Time) at for example 13:47:21 - the time when I clicked Get file in app
4. Result: time of file is equale to 0 (DirListingQ.Time = 0)
Why is that?
Regards,
matthew
[attachment deleted by admin]
8
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 25, 2014, 01:26:03 AM »
I understand that.
Thank You for Your help.
Regards,
Matthew
Thank You for Your help.
Regards,
Matthew
9
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 24, 2014, 10:09:10 PM »
Thank You.
Now it works perfect.
I have only one more question:
Could You add this changes in NetTalk 7, because I have also websites in NetTalk 7 which need similar translation.
Regards,
Matthew
Now it works perfect.
I have only one more question:
Could You add this changes in NetTalk 7, because I have also websites in NetTalk 7 which need similar translation.
Regards,
Matthew
10
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 23, 2014, 09:55:29 PM »
Sorry for no description. So:
1. The app does not required any data. Everything is inside.
2. After compiled (may be the latest version of Clarion and NetTalk) and run (default port 80), (web folder should copy while compiling) - You will see homepage (the only site.)
3. Homepage has every instruction to test my problem:
a). display global setting of StoreDataAs (from server)
b). You can choose language at runtime from Drop (English, Polish, Czech)
c). After choosing language You will see example word in that language to paste to the textbox
d). When You copy and paste that word and accept textbox control (by pressing tab for example) You will see that word after conversion by StoreDataAs parameter.
e). You can compare the example word and the word after conversion - if they are the same.
4. Every explanation is in comment at right.
5. You can validate two methods (Translate and Process Link) in WebHandler, where I put my code.
When I set StoreDataAs as Central Europe (globally in server) then English and Polish is ok, but not Czech. Choose Czech language, copy example word and compare if they are the same.
Regards,
Matthew
1. The app does not required any data. Everything is inside.
2. After compiled (may be the latest version of Clarion and NetTalk) and run (default port 80), (web folder should copy while compiling) - You will see homepage (the only site.)
3. Homepage has every instruction to test my problem:
a). display global setting of StoreDataAs (from server)
b). You can choose language at runtime from Drop (English, Polish, Czech)
c). After choosing language You will see example word in that language to paste to the textbox
d). When You copy and paste that word and accept textbox control (by pressing tab for example) You will see that word after conversion by StoreDataAs parameter.
e). You can compare the example word and the word after conversion - if they are the same.
4. Every explanation is in comment at right.
5. You can validate two methods (Translate and Process Link) in WebHandler, where I put my code.
When I set StoreDataAs as Central Europe (globally in server) then English and Polish is ok, but not Czech. Choose Czech language, copy example word and compare if they are the same.
Regards,
Matthew
11
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 09, 2014, 11:53:52 PM »
I did some example. Compiled on:
Clarion - 9.1
NetTalk - 8.15
See attachement.
Regards,
Matthew
[attachment deleted by admin]
Clarion - 9.1
NetTalk - 8.15
See attachement.
Regards,
Matthew
[attachment deleted by admin]
12
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 08, 2014, 10:07:29 PM »
Thank You for Your advice, but it not working.
When I set StoreDataAs = net:StoreAsEastEurope globally for the server then everything is ok in czech. What I put in textbox, I see without any change, for example:
in czech -> nezveřejněné
after put in textbox -> nezveřejněné
But if I set StoreDataAs = net:StoreAsCentralEurope globally for the server and then always set it in WebHandler, in ProcessLink method, before parent call:
self.site.StoreDataAs = net:StoreAsEastEurope
then some signs are still changing, for example:
in czech -> nezveřejněné
after put in textbox -> nezveÿejnÿné
Regards,
Matthew
When I set StoreDataAs = net:StoreAsEastEurope globally for the server then everything is ok in czech. What I put in textbox, I see without any change, for example:
in czech -> nezveřejněné
after put in textbox -> nezveřejněné
But if I set StoreDataAs = net:StoreAsCentralEurope globally for the server and then always set it in WebHandler, in ProcessLink method, before parent call:
self.site.StoreDataAs = net:StoreAsEastEurope
then some signs are still changing, for example:
in czech -> nezveřejněné
after put in textbox -> nezveÿejnÿné
Regards,
Matthew
13
Web Server - Ask For Help / Re: Change StoreDataAs
« on: July 06, 2014, 10:21:42 PM »
Hello
I describe You what I have and what not working.
1. My website is multilanguage. Every user can change the language at runtime by clicking one of the flags (see attachment).
2. After that user works in choosing language - view and add data in that language.
3. When first user choose polish flag I overwrite StoreDataAs property:
p_web.RequestData.WebServer._SitesQueue.Defaults.StoreDataAs = net:StoreAsCentralEurope
PUT(p_web.RequestData.WebServer._SitesQueue)
and everything is ok.
4. In same time other user want to change language to czech. Before that when he put some data in this language some signs are changing, because StoreDataAs property is set to
net:StoreAsCentralEurope for example:
in czech -> nezveřejněné
after put in textbox -> nezveÿejnÿné
5. After change language to czech I overwrite StoreDataAs property:
p_web.RequestData.WebServer._SitesQueue.Defaults.StoreDataAs = net:StoreAsEastEurope
PUT(p_web.RequestData.WebServer._SitesQueue)
and is ok.
6. But then the first user have something similar to previous situation, so he put:
in polish -> ąśćęłńżź
after put in textbox -> ÿÿćÿÿÿÿÿ
Question:
Is there any way to relate StoreDataAs to session ID, that every session will have own setting?
Regards,
Matthew
[attachment deleted by admin]
I describe You what I have and what not working.
1. My website is multilanguage. Every user can change the language at runtime by clicking one of the flags (see attachment).
2. After that user works in choosing language - view and add data in that language.
3. When first user choose polish flag I overwrite StoreDataAs property:
p_web.RequestData.WebServer._SitesQueue.Defaults.StoreDataAs = net:StoreAsCentralEurope
PUT(p_web.RequestData.WebServer._SitesQueue)
and everything is ok.
4. In same time other user want to change language to czech. Before that when he put some data in this language some signs are changing, because StoreDataAs property is set to
net:StoreAsCentralEurope for example:
in czech -> nezveřejněné
after put in textbox -> nezveÿejnÿné
5. After change language to czech I overwrite StoreDataAs property:
p_web.RequestData.WebServer._SitesQueue.Defaults.StoreDataAs = net:StoreAsEastEurope
PUT(p_web.RequestData.WebServer._SitesQueue)
and is ok.
6. But then the first user have something similar to previous situation, so he put:
in polish -> ąśćęłńżź
after put in textbox -> ÿÿćÿÿÿÿÿ
Question:
Is there any way to relate StoreDataAs to session ID, that every session will have own setting?
Regards,
Matthew
[attachment deleted by admin]
14
Web Server - Ask For Help / Change StoreDataAs
« on: July 04, 2014, 04:18:16 AM »
Hello Bruce.
Is it possible that StoreDataAs will be related to session ID?
For example one logged user will be have net:StoreAsCentralEurope and the second net:StoreAsEastEurope.
I ask for it, because I added dynamically translation to my website which base on SessionValue, and I change all display text in Translate method.
But I also would like to change StoreDataAs value, that user can put some data in his language without changing some special signs.
Regards,
Matthew
Is it possible that StoreDataAs will be related to session ID?
For example one logged user will be have net:StoreAsCentralEurope and the second net:StoreAsEastEurope.
I ask for it, because I added dynamically translation to my website which base on SessionValue, and I change all display text in Translate method.
But I also would like to change StoreDataAs value, that user can put some data in his language without changing some special signs.
Regards,
Matthew
15
Web Server - Ask For Help / Questions about security of Website
« on: December 18, 2013, 04:41:46 AM »
Hello Bruce
Ernst & Young company did the security audit of my website. I have a final report. Therefore, I have a few questions:
1. About Referer (HTTP header field)
My web application is susceptible to Reflected Cross - Site Scripting attacks via HTTP header field - Referer.
It is possible to modify GET request and type in the Referer field some script. For example:
In this case, it will display a message to the user.
Questions:
1. Is it possible to turn of Referer field?
2. Is it possible to validate Referer field?
2. About Secure flag in SessionID
By using Secure flag the SessionID can be transmitted only by using an encrypted HTTPS.
No Secure flag makes the SessionID can also be sent via unencrypted HTTP protocol, which could potentially allow an attacker to capture the SessionID.
Question:
1. How can I set the Secure flag for SessionID?
3. About HTTP X-FRAME-OPTIONS
My web application is susceptible to Clickjacking (UI Redress) attacks. This means that it is possible to cover one frame to another.
The implementation of the type of clickjacking attack could allow an attacker to persuade the user to perform certain actions in the application.
It should be noted that this concerns mainly the actions that can be performed by clicks on links.
Question:
1. How can I set HTTP X-FRAME-OPTIONS to SAMEORIGIN or DENY?
Improving these points will increase the security of my website.
Additional question:
1. Is it possible to hide version of NetTalk or PHP in HTTP header?
Regards,
Matthew
Ernst & Young company did the security audit of my website. I have a final report. Therefore, I have a few questions:
1. About Referer (HTTP header field)
My web application is susceptible to Reflected Cross - Site Scripting attacks via HTTP header field - Referer.
It is possible to modify GET request and type in the Referer field some script. For example:
Quote
GET /HomeSite HTTP/1.1
Host: MyWebSite.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: 4a883"> <BODY ONLOAD=alert('test')>
In this case, it will display a message to the user.
Questions:
1. Is it possible to turn of Referer field?
2. Is it possible to validate Referer field?
2. About Secure flag in SessionID
By using Secure flag the SessionID can be transmitted only by using an encrypted HTTPS.
No Secure flag makes the SessionID can also be sent via unencrypted HTTP protocol, which could potentially allow an attacker to capture the SessionID.
Question:
1. How can I set the Secure flag for SessionID?
3. About HTTP X-FRAME-OPTIONS
My web application is susceptible to Clickjacking (UI Redress) attacks. This means that it is possible to cover one frame to another.
The implementation of the type of clickjacking attack could allow an attacker to persuade the user to perform certain actions in the application.
It should be noted that this concerns mainly the actions that can be performed by clicks on links.
Question:
1. How can I set HTTP X-FRAME-OPTIONS to SAMEORIGIN or DENY?
Improving these points will increase the security of my website.
Additional question:
1. Is it possible to hide version of NetTalk or PHP in HTTP header?
Regards,
Matthew