Many times during SharePoint development you may need to execute code or access information that the current impersonated user does not have access to. An internal example of this is SharePoint elevating calls to the database. Every application user doesn’t need assigned roles in SQL Server, only the SharePoint runtime accounts need to be configured for SQL Server access.
Recently while working on a project, I ran into an issue with a site that was using forms based authentication (FBA). The application would load configuration settings before the user had logged in. If the application was in a state that the target site’s configuration had not been previously loaded & cached, then the request would be made as an anonymous (null) user. Since some of these settings were stored as SPWeb properties and the unauthenticated user does not have the required permissions the request would be denied and the user was redirected to a page stating that access was denied and they needed to login. The problem was they didn’t have a chance to login yet?!
The WASC Threat Classification is an effort to classify the weaknesses and attacks that can lead to the compromise of a website, its data and or its users. The primary goal is to offer a central guide for common attacks and weaknesses. You can find the document online at http://projects.webappsec.org/Threat-Classification
I’ve recently been getting some spam from a couple contacts on my MSN list…doing a quick google search on the links revealed that this is probably MSN phishing…basically the contacts have had their account cracked… this allows an attacker to now send fake messages to the contacts associated with the account in hopes of tricking more people into entering their account information on a fake site…since they are automated using bots/scripts the contact may even appear to be offline when you receive the message.
(more…)
I came across a post with a pic of Kevin Mitnick’s Business Card…I’m curious if the lock picking tools actually work =)