Secure GET-based remote API access via PHP

I am programming a way in PHP for my users to be able to access a remote API though my website. I was wondering if any of you had some input on whether or not this was secure (NOT considering any vulnerabilities that may be on the remote system)

$  url = sprintf("https://website.com/?uid=%s", $  _GET["uid"]; $  data = null; $  data = file_get_contents($  url); echo $  data; 

Is this secure? if not, can you explain why?

Note: The site does not return any value that is sent using the uid parameter.

Is it possible to hijack specific e-mail with remote access?

I don’t know exactly how to ask this but I was recently presented with e-mails that look like they came from my e-mail and IP address but I didn’t send them and never saw them. It is a back and forth correspondence with another gmail account. Is it possible someone was able to set up a forwarding without my knowing and make it look like it was coming to and from me? I did find that someone had snuck in AnyDesk and had remote access to my laptop during this time, so they had access to everything.

Remote receivers debugging using azure service bus does not work

After i published app (not sure if related) to app o365 catalog (not store) i cannot debug app installed (or uninstalling) receivers using azure service bus anymore. I even tried removing remote endpoints from app manifest, but it did not help.

I also needed to increment app version in manifest to be able to event attempt debugging as app with same version was already in app catalog.

This is what is in output window

Successfully installed app for SharePoint. Services/AppEventReceiver.svc has been registered on Windows Azure Service Bus successfully. Services/AppEventReceiver.svc has been registered on Windows Azure Service Bus successfully. 

When i click on start, app is uninstalled (if it is previously installed), then installed, then VS gets out of debug mode, then there are messages that service bus has been successfully registered. Then internet explorer starts and VS goes back to debug mode (probably for debugging javascript in IE), but this is after app installed receiver finishes (successfully btw).

Enable debugging via Windows Azure Service Bus is checked in project settings. Connection string to Azure Service Bus is provided. I created Service using powershell so it does support necessary authentication methods. Related web project is also set up in app project properties. Debugging using service bus worked for me on this project before.

Any ideas?

How to handle a player wanting to use the (UA) Remote Access spell on an android player character?

This is in my sci-fi D&D 5e campaign. I have a warlock who’s using a spell from the Modern Magic unearthed arcana called remote access. I also have another player who is playing a homebrew android race which we’ve been considering a construct. The warlock has expressed that if they get annoyed with the other player, they would use remote access on the android.

Would that be possible, and if so, how could I prevent it from happening? I imagine the other player would be really pissed about being taken over.

Here are the race traits of the homebrew Android race:

Ability Score Increase. Your Intelligence score increases by 2, and your Constitution score increases by 1.

Alignment. They don’t tend towards any one alignment, as they were programmed to form their own opinions.

Size. You have the similar height and build to humans. Your size is medium.

Speed. Your base walking speed is 30 ft.

Mechanical Nature. You do not need to eat, drink, or breath to survive. But, you do need to recharge your power, which you can do by being near an electrical source during a short or long rest. You need to you run out of power by going 5 days without recharging, this puts you in an inactive state until you are able to recharge again. During a rest, you regain hit points like normal, during this time you make repairs on yourself. Your immune to the poisoned condition and poison damage. But, every time you take acid damage you take an extra 5 points of damage.

Sleep Mode. You only have to rest for 4 hours to get a long rest and 2 hours for a short rest. During this time you’re still conscience of your surroundings.

Wired Connection. You can connect to electronic devices gaining a +2 bonus to all saves and skill checks involving using that device.

Search the Web. When you make an ability check for any skill you can search the internet for tutorials, videos, ‘how to’s’, and other resources giving yourself a +2 bonus to the roll. You can only use this once per long rest.

Languages. You speak English and one other language of your choice.

Remote access with xfce4 installed on Chromebook ASUS CN60

I have ASUS chromebox CN60 with installed XFCE4.12 (xubuntu). XFCE is automatically starting on chromebox startup with specific website in web browser. Everything is working good, but I have problem with remote access from server with xubuntu. I have installed ssh, ssh-agent, xrdp, vnc server and could’t connect. Ping from server is OK. Network is working. I’ve installed firewall and enable/disable it. I was trying to use putty, tightvnc, windows rdp.

Also i can’t use “sudo reboot” in xubuntu terminal. Answer is “Running in chroot, ignoring request”. I have tried to change user for root, but it still doesn’t work.

Any suggestions?

How do RF remote clones manage to clone rolling codes?

I wanted to clone my garage door remote to learn more about IoT security in particular so I read a lot about rolling codes, and the more I read the more I am convinced there is no way to actually clone any rolling/hopping code remote even with its master key (seed value or encrypting key) – there are many algorithms out there to derive the next values for a given synchronisation counter and seed value/encrypting key.

And yet! The so-called “universal remote” manage to clone rolling-code remotes when fed the master key in addition to the button signal… How is that possible? Do they use a very common encrypting device and just assume that the majority of remotes out there use the same algorithm (I stumbled upon the HCS301 during my research, maybe Keeloq is the most widespread?)?

What are some of the benign use cases of injecting bytes into another process and creating remote thread?

So lets say you are developing an AV, and marked any type of injecting into another process (for example openning it and writing to it) malicious

if so, what will be some of the false positives? will a normal user who just wants to install normal apps and browse the web be effected?

i just don’t understand why would an benign app need to do this? and how common is it? for example if its only 1 in a billion benign app that does this, then why allow it at all?

Remote Desktop Support – Let me fix your issues for $5

I am offering remote assistance to fix PC / Laptop issues using any Windows device. – Restore performance of a slow / freezing PC or Laptop (Please note; Not all freezing computers can be fixed as it may sometimes be hardware related. If all my attempts to fix the freezing issues do not work. I will agree to a full refund.) – Blue screens fix – Malware, spyware, adware, virus removal – Checking for corrupt / damaged system files – Or anything else you may need help with To connect remotely, we will be using TeamViewer Making my customers feel at ease: As we know, the internet is filled with dishonest people and scammers. There is a level of discomfort when letting a stranger work remotely on your device, especially if you not so PC savvy and not sure what the person is doing on your computer. Therefore, before any payments are made, you may request a link to my personal Facebook profile and I will accept your friend request should you request one. You may also request voice calls too if that is your preferred method of communication. All my work will be performed on your Desktop, there is no need for me to access personal folders such as My Documents, Downloads, Program files or any folders sitting on the Desktop. However I may need to open [My computer or (This PC if you Windows 10)] to access properties of your hard drive and maybe to see for any previous Windows installations which will show up in your root folder (C:) For example: C:Windows.old I will not remove previous Windows installations without your consent and knowing you have been through it to check for any files you want to keep. At any given moment you need to do something on your device, all you do is move the mouse cursor and I will stop what I am doing. – You can close TeamViewer when you like as we can always reconnect at a later time when you are ready. Tools I will be needing: Fixing computers will require me to download certain software, I will only do so with your approval after explaining what software it is and the purpose of it – It will only be popular software used by millions of other users. Any software that I install will be removed at the end of the session unless you would like to keep the software to maintain your device. Please first send me a message and best describe what issues you have or feel free to ask any questions.

by: MikeT85
Created: —
Category: Virtual Assistant
Viewed: 127


Can’t change data in the Host web from a Remote Event Receiver ItemAdding Event

I’ve build a SharePoint that should modify some information when the user create data.

The addin has some pages (asp.mvc) that lists the lists in the host web. The user select one of the list, then the code registers dynamically the event receiver.

The event receiver itself handles both ItemAdding and ItemUpdating event and should change some of the item’s field dynamically.

I was able to register the RER, I can even step into the receiver when debugging with Visual Studio, and I can actually see the SPRemoteEventResult.ChangedProperties correctly populated. However, even though I’ve no error, the actual date does not reflect my changed.

I suspect this is due to the fact I dynamically register RER, which leeds to authentication troubles.

Here’s how I register my RER (from a POST action in my ASP.net MVC app) :

    [SharePointContextFilter]     [HttpPost]     public ActionResult Enable(Guid listId)     {         var spContext = SharePointContextProvider.Current.GetSharePointContext(HttpContext);         using (var clientContext = spContext.CreateAppOnlyClientContextForSPHost())         {             if (listId != Guid.Empty)             {                 var serviceUrlRoot = $  "{Request.Url.Scheme}://{Request.Url.Authority}" + Url.Content("~/Services");                  var list = clientContext.Web.Lists.GetById(listId);                 clientContext.Load(list, lst => lst.Title, lst => lst.EventReceivers);                  clientContext.ExecuteQuery();                 var receiver = new EventReceiverDefinitionCreationInformation                 {                     EventType = EventReceiverType.ItemAdding                 };                  //Get WCF URL where this message was handled                 receiver.ReceiverUrl = serviceUrlRoot + "/Services/myreceiver.svc";                  receiver.ReceiverName = "some name";                 receiver.Synchronization = EventReceiverSynchronization.Synchronous;                  //Add the new event receiver to a list in the host web                 list.EventReceivers.Add(receiver);                 clientContext.ExecuteQuery();              }         }         return RedirectToAction("Lists", new { SPHostUrl = spContext.SPHostUrl.ToString() });     } 

I guess this code is OK since the RER are actually triggering.

Here’s how I handle the adding event :

    public SPRemoteEventResult ProcessEvent(SPRemoteEventProperties properties)     {         var result = new SPRemoteEventResult();         var webUrl = properties.ItemEventProperties.WebUrl;          var webUri = new Uri(webUrl);         var realm = TokenHelper.GetRealmFromTargetUrl(webUri);         var accessToken = TokenHelper.GetAppOnlyAccessToken(TokenHelper.SharePointPrincipal, webUri.Authority, realm).AccessToken;          using (var ctx = TokenHelper.GetClientContextWithAccessToken(webUrl, accessToken))         {              result.ChangedItemProperties.Add("MyField", "My dynamic value");          }          return result;     } 

This code does not throw any error when executing. But the list item does not have it’s MyField changed.

As you can see, both registering the RER and handling it’s event is done using App Only context. I tries various other combination, but I never succeed in making everything work as expected.

What’s the correct way to dynamically register RER on list in the host web, on user’s action ?

What’s the correct way to handle adding and updating event when the RER was registered dynamically ?