Our system has randomly started deadlocking in areas where it previously had not, and an analysis of the deadlock graph looks like it should not even be happening to begin with. Here is a screenshot of the deadlock graph.
For reference: The left node is a basic insert into the sync_entities table, where the right node is "update sync_entities set A=B, C=D from sync_entities e join sync_revisions r on e.id=r.entity_id where r.id in ()"
Based on my understanding of lock compatibility, an Requesting an S lock when an IX lock exists would block only if Read Committed Snapshot is off, but it is turned on for this database, and has been for a very long time. Am I missing something?
I would like to list of servers which are sql servers updates(sps&Cus) enabled through windows updates or microsoft updates by using powershell scripts.
Is it safe to use non-ASLR DLL in an enabled ASLR EXE? Would the DLL be loaded to and will use random addressed, or should all the dependencies enable ASLR?
In addition, what about other security mechanisms such as DEP and SHE?
I’ve been migrating to a new host (AWS Lightsail with a Ubuntu instance) and while everything is working just fine I’m running into a quirk that I can’t quite figure out.
I’ve enabled HTTP2 on my virtual server and confirmed that files are using that protocol (via DevTools and http2.pro):
For reference, here is my server showing the Apache HTTP2 mod is enabled (and I did restart apache afterwords)
However, in PHP when I output
$ _SERVER['SERVER_PROTOCOL'] on my server it is still showing "HTTP/1.1":
But this same exact software (WordPress theme) on other servers is showing "HTTP/2.0" correctly:
I believe I have my Apache2 conf files setup correctly:
<VirtualHost *:443> Protocols h2 h2c http/1.1
and just to be thorough I did Port 80 as well:
<VirtualHost *:80> Protocols h2 h2c http/1.1
Unfortunately I do not have access to the conf files (or ssh) on the server that is working, so I can’t cross-reference those files.
I’ve been reading a bunch of tutorials on HTTP2 to see if there is any additional setting or configuration that I may have missed, but most are showing the same instructions that I’ve implemented.
Can anyone point me in the right direction as to why this PHP "detection" is incorrectly displaying the protocol, or if there is something I missed that is preventing PHP from using HTTP2 in this one situation?
I am trying to understand how DNS-over-HTTPS (DoH) works in both Chrome and Firefox browsers.
To do so, I have enabled DoH on each browser and set the DNS provider to Cloudflare DNS servers (
220.127.116.11), at both browser and operating system level (Windows 10 in my case).
However, the traffic captured by Wireshark shows that there are still multiple DNS request that are made in clear text:
While some of those requests are probably issued by other desktop applications that do not implement DoH, there is one request pattern which seems strange to me:
Everytime I search some text (say
foo for example) in the URL search bar and press Enter, a DNS request is made to the Cloudflare resolver with the domain name
foo.lan. Unsurprisingly, the server answers with a
No such name DNS response.
After doing some research, this behaviour actually appears to be linked with DNS prefetching.
To make sure of that, I disabled the DNS prefetch flags in both Firefox (
network.dns.disablePrefetch) and Chrome (
Use a prediction service to load pages more quickly option toggled off), but the prefetch requests are still being sent as before.
This raises three questions to me:
- Why DNS prefetch requests still occur when the feature is disabled ?
- Why are those requests made with the
.lan suffix ?
- Why DNS prefetch requests are sent in clear text even though DoH is enabled ?
Please note that I have also tried to change the default search engine from Google to Bing, but the results are unchanged.
Any help would be very appreciated.
I have a list of 50 FTP servers line by line in file1.txt. I tried to check if these FTP servers allow anonymous login using nmap, but it takes a very long time and it gives a lot of output. How can I quickly test all IPs in file1.txt if they have anonymous login enabled and put them in file2.txt?
(There is a highly related question, however I believe mine is not a duplicate, since it deals with resetting a password without access to the account, not changing it while being logged in.)
Say someone has gained access to my email that I used to register some accounts with. Assume also that these accounts all have some kind of 2FA, be it a 30-second code generated by an app, a U2F key – the type doesn’t matter for my question.
In my understanding, in order for the attacker to change the password of an account, there are two ways:
Log into the account and change the password in the internal settings, without using the associated email. Even if we leave our computer/phone unattended with an active session of the relevant account, therefore bypassing the need for the hacker to also guess the account password, the change is still impossible. This is because, as explained in the question linked above, this would require at least 2FA verification, possibly 2FA + the original account password.
On the log-in screen for the account, use the ‘reset password’ option to send a reset email to the email account that we assumed the hacker had access to. I am confused as to what happens then:
- is the 2FA needed to send the reset email in the first place? If not,
- is the attacker able to reset the password, but not to actually log in, since the 2FA is still in place? This essentially means that they can’t access the account, but nor can we.
- is the attacker able to reset the password and log into the account, since the 2FA somehow becomes void?
Of course, scenario 1) is the most desirable from the perspective of the legitimate user, 2) is significantly worse, 3) is tragic. But which one actually happens when someone tries to reset a password for an account with 2FA enabled?
Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix
I have a server domain
server.com and a UI app at
server.com domain handles user auth and sets a session cookie under the
server.com domain. It also has a rest-like endpoint that serves GET requests at
/user_data and returns sensitive user data to users with a valid session. The 3rd party UI at
client.com needs access to the user_data in an AJAX call, so
CORS is enabled at the
/user_data endpoint for the origin domain
The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised
client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of
CSRF token exchange? The way I understand it, it’s the only option, because the
client.com cannot read csrf tokens stored in a
server.com cookies. However OWASP guidelines state that:
Make sure that the token is not leaked in the server logs, or in the URL.
If that’s also a problem, how can I secure my application?
We have used –ssl-cert=path –ssl-mode=VERIFY_CA while login but unable to login as it is throwing ssl-error
"ERROR 2026 (HY000): SSL connection error: CA certificate is required if ssl-mode is VERIFY_CA or VERIFY_IDENTITY"
A few days ago I tried to log in and pay my bill and their HTTPS was disabled. I questioned it and they enabled it and said they were doing upgrades. Curious, I tested the site with SSL LAB and they received an F because they also support insecure suites.
I asked them about disabling SSLv3 to mitigate POODLE and was told I needed to do that on my end.
I am confused because every other ISP and site with SSL I test receives a B or A score, why would my ISP rest at an F and no one seems to care except me.