今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#Apps

找到 233 篇相关文章

AI 资讯

Hardening my own Nmap web UI: the security holes I shipped, and what actually saved me

I built a web front end for an Nmap-based port scanner: a FastAPI backend, a React dashboard, background scan jobs, a plugin system. It worked. Then I sat down and audited it like an attacker would — and found a stack of real weaknesses, plus a lesson in why you verify an exploit before you call it one. This is the honest version: the holes I found, the unauthenticated-RCE chain I thought I had, why it didn't actually fire, and the hardening I shipped anyway. Repo: https://github.com/DipesThapa/PortScanner This is my own project, audited and fixed by me. No third-party systems were touched. Scanners are dual-use — only ever point one at hosts you own or are authorised to test. Hole 1: no authentication, anywhere The foundation: every API route and the /ws/status WebSocket were open. No API key, no session. The Dockerfile bound 0.0.0.0:8000 and ran as root. Anyone who could reach the port could drive scans, hit the upload endpoint, and read every job's logs. api_router = APIRouter () # no dependencies — fully open This is the real, unambiguous problem. Everything below is only interesting because it sat behind no auth. Hole 2: an upload endpoint that allowlisted its own files Deep-dive follow-up commands ran against an allowlist — good instinct. But an upload endpoint wrote a file, chmod +x 'd it, and then added it to that same allowlist: for item in scripts_dir . glob ( " * " ): if item . is_file (): allowed . add ( str ( item . absolute ())) # upload authorises itself An allowlist any input can extend isn't an allowlist. This is a genuine design footgun. Hole 3: the RCE I thought I had — and why it didn't fire Here's the chain I got excited about: the scan target flows toward Nmap's argv, and it's subprocess.run(..., shell=False) . No shell injection — but you don't need a shell to abuse Nmap. If a target became --script=/uploaded.nse , Nmap would load and run that NSE (Lua) script, and NSE can call os.execute . Upload a malicious .nse (Hole 2), get Nmap to load it

2026-07-07 原文 →
AI 资讯

Customizing D365 Sales — For Our Own Sales Team (Customer Zero) (2) Common Settings

This continues from Part ① . In Part ②, we'll configure the common settings and the internal-processing Power Automate flows. Common Settings Setting Up Connections Open Power Automate ( https://make.powerautomate.com ) Go to "Data" → "Connections" → "New connection" and create a Microsoft Dataverse connection Do the same to create an Office 365 Outlook connection Basic Flow Creation Steps Click "Create" → select "Automated cloud flow" (event-triggered) or "Scheduled cloud flow" (recurring) Name flows in the format [Zone]-[Number] [Description] (e.g., "A-1 Opportunity Stage Stall Alert") Always run a test after creating a flow to verify it works 2. Internal-Processing PA Flows — 4 Flows (Write-back portions of A-4, C-5, C-6, D-3) Once the common settings are done, it's time to build. A-4: Write Back Stage Changed Date Without this flow, the stall-day calculations in A-1 and B-1 will not work. Implement this first. In Microsoft Dynamics 365 (D365), a "stage" refers to a major milestone in a process — such as a sales deal or customer engagement — that guides the responsible person through what needs to happen next. It's how a series of activities is visualized and managed. From here, all work is done in Power Automate. Step Task Details 1 Create the flow "Automated cloud flow" → select trigger "When a row is added, modified or deleted (Dataverse)" 2 Configure trigger Table: Opportunities / Change type: Modified 3 Add condition Add a "Condition" action: "When Status Reason (statuscode) has changed" 4 Write-back action "Update a row (Dataverse)" → set cr917_stage_changed_date to utcNow() C-5: Auto-Set Renewal Date + Auto-Create Renewal Opportunity (on Won) On Won close, two things happen: ① auto-set the renewal date to close date + 365 days, and ② auto-create a new Opportunity for the renewal cycle and add it to the pipeline. Step Task Details 1 Create the flow "Automated cloud flow" → trigger "When a row is added, modified or deleted (Dataverse)" 2 Configure trigger Ta

2026-07-01 原文 →