I'm running into an error I just can't solve. I'm trying to host my website through an external hosting company.
Most reports consist of a server side permission issue but my hosting doesn't think that is the issue and won't budge on the idea.
Here is the message I'm getting:
Description: The application attempted to perform an operation not
allowed by the security policy. To grant this application the
required permission please contact your system administrator or change
the application's trust level in the configuration file.
These are the suggestions I got send through from my hosting company:
Change to "On"
<customErrors mode="Off"/>
Your connection is also referencing a database called
aspnet-Foundation-20151005115145.mdf however I cannot locate this
file, it's likely your database connection string is incorrect as its
trying to connect to a local database.
My database isn't active and is commented out in the Web.config file so this shouldn't be playing a part in the problem, right?
What's the best way to troubleshoot this issue?
Edit:
I have just added the following to the Web.config file to no avail.
<securityPolicy>
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
</securityPolicy>
Related
My Laravel database got hacked for the second time. the hacker deleted all tables and left a table threatening to delete it If I didn't send bitcoin. That's not a problem since I do have a backup but what can I do to prevent it?
This is for Laravel 6. the first time I had debugging mode ON in the .env file so I thought this might be the problem. after turning debugging off I still got hacked am I missing anything?
Hello Mohamed Elmoniry,
I would check your server database configuration for the following security settings I mean this is pretty basic and normally done automatically if you are not self hosting and using a service like forge or digital ocean, but here you go:
Update the password plugin
Change the root password
Remove anonymous users
Disallow remote root login
Remove test database
If you are new to this and you are using MYSQL on your server you can run the following command/script that will automatically guide you through that process
sudo mysql_secure_installation
Additionally:
If you are using a web server I would also enable SSH and deactivate password login.
If you are using a firewall I would check that only the necessary ports to your application are allowed by the UTM (Unified threat management) if it is a hardware firewall. (same applies to a software firewall)
It would be great if you know how the hacker got into the database. Maybe you have an old database version? Maybe you have an easy-to-crack password and have exposed your database to the internet. Laravel by default blocks SQL injection, so that can't be it.
If you have exposed your database, a good first step is to block all requests and allow only ones from certain IP addresses, like your server and IP addresses where you often work. This way, hackers can only get to your database if they are on one of those IP's.
Do you publish your code to GitHub? Maybe the hacker got the password from your repository (this is only possible if this is public). You should make sure you NEVER EVER publish your .env file to the internet and only keep local copies.
But the best solution would be to find out how he got in. Then you can block that entrance. You should certainly check your database version and update it if necessary.
it seems your website has some shell (malware) stored. Virus take palace with following reasons :
Old version framework (but you are using v6, that is updated)
A shell/virus already in code (check if a php shell exist, & scan with antivirus)
You have public git repo, where attacker placed his malware
You have credentials hardcoded that leaked, either through git repo or JS files.
You have unrestricted file upload option in your code, which allow hacker to upload shell.
your database server is publicly exposed,allowing anyone to access.
If you are using older jenkins or other automation tool, which exploit used.
SQL injection, (check logs)
Thanks, Jaikey
Check whether your .env or .env.sample files expose to public for some reason?
https://yourdomain.com/system/.env
If yes, block the public access of .env by adding the code below to the .htaccess file.
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>
We have two instances of SSRS 2016 installed, as one of them requires Windows authentication and the other requires custom authentication. The latter follows all the latest direction from the sample everyone references, except that it leverages a REST call to a separate authentication API we use for our applications rather than creating a user DB just for this use. We have given ourselves all permissions via the web portal, using the user account from this separate authentication API. Everything works fine until we finally try to execute a report and receive the error,
Could not load file or assembly 'Microsoft.ReportingServices.ProcessingObjectModel, Version=13.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91' or one of its dependencies. Access is denied.
We've found nothing referencing such an error and are stumped at this point. Any help would be greatly appreciated.
I had ran into this exactly same issue, and the cause was permissions setup for the execution account. I was providing him with admin permissions and full control setups on the folder, and file but the issue persisted. The solution was to remote desktop on the machine with the execution user account and acess the REport Server bin folder. With this the pop up to gain permanent admin permissions on it showed, and accepting this lifted the issue.
It took me days to nail this down, which seems like a bug. so I thought of posting this. I hope this helps.
I am able to get into SharePoint site using browser but not able to connect it using SSIS ODATA Connector. I have admin rights in that site. We have multiple imports successfully running using same SharePoint Server right now. Using SSDT2012. I tried another site successfully to confirm I don't have issue with SSDT. Any idea what I am missing.
Error msg:
TITLE: OData Connection Manager Editor
Test connection failed
ADDITIONAL INFORMATION:
The remote server returned an error: (401) Unauthorized. (System)
The logon attempt failed (System)
BUTTONS:
OK
What is the Service Document Location URL, you are giving in your case? Here is mine which works well.
Are you using basic authentication or Windows authentication?
If the former, double and triple-check that your userid and password are correct, and that the credentials have the proper access.
If the latter, check to see what user the package is running as. Also, I've found that when using Windows Authentication, you have to go back and double check what the Basic Authentication settings are, and zero them out before going back to Windows Authentication. It sounds crazy, but sometimes it works.
Let me first say I soley beleive IIS is usless because I have never gotten it to work ever, no matter what I do it never lets me access the website.
Before I start let me establish I have no choice but to use IIS in this instance and I really need this to work.
Let me also establish the following:
Yes I have tried turning it off and on again
There is 0 (NONE) firewall on this machine, and yes the server is entirely updated
My question is, whenever I try to create a website, for example the port im launching a server on is on port 3606.
I am attempting to have my website come up on port 3606, and direct me into a folder that is located at c:\mysqlservices
Now! Inside this folder is phpmyadmin source files, and in a desperate attempt to get this to work I have made the permissions to where EVERYONE, IUSR and IIS_USR all have full read write and nuking permisisons to this directory, its files, and all of its subdirectories.
Now, When I go to this address, for example, panel.archservers.com:3606,
All I get is the issue "403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied."
Thank you in advance for the help, all I need is to get this IIS server to actually work, because as it is, I cannot do anything with this IIS server..
Thank you very much in advance
This link suggest to add "IIS_IUSRS" user, which is not the same as "IIS_USR".
I needed to install the PHP core, then reset my permissions back to just iis_usrs.
It worked great
you are entering a wrong context...give a correct context of your application it will open that page..
Ex:
www.example.com - Forbidden Error
www.example.com/ex.jsp - Displays the respected page
Also check proper permissions are supplied or not to the directories
I have IIS7.5 with two websites, and I have an Access database on a server on our network.
The first website has anonymous auth on, using a specific network account (lets say 'jim.smith').
The second website has windows auth on.
I've written some ASP to use a DSN-Less connection to the Access database, and I'm using the same code in both websites.
When logged on to a computer with the same network account as is in use with the first website anonymous setting ('jim.smith') - when viewing in a browser, the first website has access to the database, the second website does not.
The error message is: 80004005 The Microsoft Jet database engine cannot open the file '...'. It is already opened exclusively by another user, or you need permission to view its data.
It is definitely not opened by another user.
So the first website is being accessed by network user 'jim.smith' via the anonymous setting.
The second website is being accessed by network user 'jim.smith' via windows auth.
Why would access to the database work from website one, and not website two..?
Does anyone know how to make windows auth work the same as the anonymous setting so I have access to the database from website two..?
Cheers!
Steve
Edit: Everyone has full rights to the folder where the database sits.
Seems to me that you need to enable impersonation so that the incoming user is used to acces the database. Otherwise the user of the application pool is used and this usually doesn't even have right on the server itself ( Application Pool Identity)
When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See:
http://allen-conway-dotnet.blogspot.com/2010/11/how-to-use-impersonation-in-aspnet.html