WorPress Editor Won’t Load Content Anymore

Got this weird WordPress behaviour recently. While most pages load successfully, editing something – like a post or a page – will draw a blank browser tab. Zero content whatsoever. It has the same result for both Firefox and Chrome. Not tried on other browsers.

ANSWER

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'unsafe-inline'

This was the error that I got when I went into the page, opened developer tools, then reloaded the page.

Caused by additional custom Header policy on the web server of the website. Looks something like this:

Header set Content-Security-Policy "default-src 'unsafe-inline' 

Add ‘unsafe-eval’ to go around it. Use of eval() is usually considered bad practice and not secure hence it’s getting blocked until it is allowed by adding it into the policy. Now the Header will look like this after modifying it. Don’t forget to restart the web server.

Header set Content-Security-Policy "default-src 'unsafe-inline' 

More detailed explanations can be had here: https://scotthelme.co.uk/content-security-policy-an-introduction/

I am trying to set up security for KIbana in docker setup and facing some issues

Let me elaborate.
1.The set up is inside the Docker container.
2.We have this architecture filebeat->logstash>elasticsearch->Kibana
3.I have enabled security in kibana,set up the password authentication,given the username and password in elasticsearch.yml
4.I am getting the login page for kibana
5.Issue is that once I enter the elastic credentials it does not take login to kibana page,insated it comes back to the credential page again.

The credentials are correct,whenever I try to enter a wrong credential, it throws errors ,so confirming that it is the correct credential which I am entering.
I have done the configurations in windows and it is successful,however I am having issue in docker.

The version which I am using is compatible according to the metrix, I am using 7.9 kibana and elasticsearch
Logs shows authentication to elasticsearch failed.

Please advise.

Go to Source
Author: Sneha

Secure way to send API key

I am developing an SDK which users would use to access my service
The authorization is done using an API key, which is unique to each user.
SDK makes API calls to my server using the provided API Key

My question is how do I secure the API Key passed in as a header in the API calls?
Should I encrypt the key while sending it over the network using RSA? But, then there will be two issues:

  1. Shipping a public key with the SDK
  2. Overhead of reading keys from file for every API call

Is there a better approach to this?

Go to Source
Author: saintlyzero

Can security modules completely override Linux Kernel’s access model?

I am aware of Apparmor and specifically how it can be used to limit a program’s access rights where of the file-system permissions otherwise allow. What I’m less clear on is whether it’s possible for Apparmor or any similar security module to completely override a program’s access rights. Can they grant a program access to read/write/execute files that the user otherwise has no access to.

I’m asking for what the Linux Kernel will allow such a security module to do, not what existing security modules can be configured to do.

Can security modules completely override Linux Kernel’s access model?

Go to Source
Author: Philip Couling

Active Directory Name Change

Our Active directory will change the accounts name for example John Doe Jdoe@abcd.com to John.Doe@abcd.com.

My question is do I need to change all the SQL Logins individually or the person can login to SQL server management studio with their old names. What also happens if the login is an owner of a database or job.

Go to Source
Author: SQL_NoExpert

Tor Browser GENERIC VERIFICATION FAILED

I am using Linux Mint 19.3. The problem is when I installed Tor this error GENERIC VERIFICATION FAILED raises during downloading the packages. I tried too many solutions but they did not solve the issue. I tried the following:

  1. gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pgp.mit.edu
  2. gpg --homedir "$HOME/.local/share/torbrowser/gnupg_homedir/" --refresh-keys --keyserver pool.sks-keyservers.net

Go to Source
Author: Hassan

Does `npm audit` add any value when using `dependabot`

Context

There are multiple ways to scan projects for vulnerabilities.

Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.

NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.

We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).

The actual question

Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?

Go to Source
Author: JohnLBevan

What is a recommended authentication architecture for a front GUI app that I want to control but that will be used by others to control their servers?

I have a front end (WEB GUI) app that I designed (Python for now + JavaScript in the future) that I use to access a controller, it uses REST APIs.

I want to publish this app in the cloud so that others could use it.

The biggest issue I am seeing is the security side as the app needs to authenticate with the remote server (a controller itself) and start sending tasks to the controller that will translate that in internal REST APIs to control for processes on downstream servers

Is there an authentication flow that will guarantee the owners of the controllers that I (the publisher of the front end) do not intercept the authentication flow and I gain unwanted access to their servers ?

My idea is to use a two steps authentication/authorization process like below. Is there a better way?
Please edit this diagram if you have suggestions
enter image description here

Go to Source
Author: MiniMe

How to add a new listener on a new port and restrict it to one instance only

I am running oracle 11.2.3 and we have a server with multiple instances running. All of them are registered to port 1521 with the default listener. Now we are required to make one instance available on a new port. I was wondering if there is a way to add a new listener to a new port and restrict it to register only one instance so that this listener can not make connections for other instances.

Go to Source
Author: user211005

ASP.NET Identity using only Active Directory

We have an existing ASP.NET web app that is using Microsoft.AspNet.Identity framework. The previous developer wrote the code for this and unfortunately I don’t have much experience with it. It currently allows users to create an account on our app and that gets saved to the AspNetUsers table. I’m assuming that’s the default way accounts are stored with this framework.

This has been working well so far, but we want to expand our functionality in a way that we think would be better if accounts were stored in Active Directory. Ideally users would have a single login that would allow the following:

  • Login to our web app.
  • Ability to change password via the web app.
  • Log into SQL Server Reporting Services portal.
  • Log into SSRS server when building reports in Report Builder.
  • Provide database access as follows:
    • Only be able to see and SELECT from a handful of views.
    • These views would be able to filter data based on the user.
    • There would be groups that the user belongs to. Each group has ownership of a schema in the database. Members of the group would have full access to that schema.

With the current AspNetUsers table implementation, users can create accounts, login and reset password. For the SSRS functionality we’ve been creating a separate user in AD manually. So at this point, the user has two accounts to deal with, though they could use the same username/password so that it seems like one.

On the database access it is a little complicated, but seems to work:

  1. First, our users belong to one or more “Organizations”. And really that’s pretty much like a group, but it doesn’t use any kind of built in group functionality. We basically have an Organizations table in the database and then an OrganizationUser table that links AspNetUsers to Organizations.

  2. Each Organization has a Data Source in SSRS. Depending on what Organization the user is writing reports for, they will choose the appropriate Data Source. Organizations have corresponding local DB logins and that is the login used by the SSRS Data Source.

  3. On the database itself, the Organization login has ownership of it’s own schema. The schema is there so that users can store and retrieve tables of their own design. This is mainly for pre-computing of data for use in reports. The login also has access to a few views in the dbo schema. Those views utilize the DB login to determine what Organization it’s dealing with. That’s used to filter out any data that is “owned” by an AspNetUser entry that isn’t linked to the Organization.

As you can see, we also end up with a third Organization login on the database which is not really ideal either. Plus, we’re also seeing a need to have a user-level login because we also want to add a database view that only shows the users data rather than the data for the entire Organization.

I should also mention that I’d really like if, when a user creates an account, it gets created in AD rather than the database. I haven’t been able to find an example of being able to do this. There seems to be a lot of examples on how to login to AD, but not to create the account in the first place. I suppose I could keep the existing AspNetUsers implementation and write some AD code alongside all the existing endpoint code, however that seems like a waste if there was some way to just do it all in AD.

I was going to post in StackOverflow to see if anyone could help me on getting Microsoft.AspNet.Indentity to create users in AD, but I decided it might be a good idea to get some feedback on this design before I go down that route as I’m wondering whether it’s a good idea or not.

I know one of the concerns my co-worker brought up was getting too many accounts in AD. I don’t think it’s a big issue. This isn’t the type of application that would have a lot of users. His other concern was getting tied too close to a Microsoft stack, but I don’t think that’s a big problem either.

Go to Source
Author: Dan

How to protect secrets whilst enabling the ability to amend a pipeline

I’m writing a CI pipeline using GitHub Actions.

The pipeline will build a Docker image, which it will then push to our Docker repository (AWS ECR).

In order to talk to ECR, we’ll need to provide a secret (and some other details).

That secret we’ll be pulling from Hashicorp Vault… though that itself requires a secret in order to access it, so to some extent we’re just offsetting the problem.

The pipeline’s code is in the same repository as the code for which it is run (to which our developers have access); though we can hold some actions called by this code in a separate repository (to which only our DevOps team have access) if needed.

Whilst we trust our developers, it’s generally good practice to keep things locked down where possible. As such, is there any way we can set things up such that developers can amend the pipeline without being able to (deliberately or otherwise) expose these secrets? Are there any best practices around this sort of thing?

Go to Source
Author: JohnLBevan