administrator – How to run an installed Application as an admin?

Background

I’m running Catalina 10.15.7.

I run my macOS system as a limited user (I have admin credentials for admin tasks).

This mostly works fine, but it seems many apps, and sometimes Apple themselves, expect most users to be running their systems as admins.

Problem

Anyway, I had a program installed (Disk Drill), which was running fine, and then prompted me to install an update. I installed the update, and now when I run the program I get an error window that Disk Drill can only be run by admins and then the app exits.

If I launch a terminal window and switch to the admin user and launch the app from the terminal, it starts just fine.

Question

How do I get this app to run as an admin?

Attempted Solutions

I tried changing ownership of the .app and .app/Contents folder to that of the admin user, but this didn’t seem to make any difference.

hooks – SharePoint online search query from Drupal in logged in user context, which is connected through SIMPLESAML SSO (Azure AD IDP) with PHP application

Below is problem description – I have sharepoint online and its URL is like – https://abc.sharepoint.com

Above sharepoint is connected through SSO (Office 365 Azure AD IDP and SAML)

I have another Drupal 8 application like – https://drupalapp.something.com

It is also connected through same SSO (Office Azure AD and SAML) so that if user login through either of application through SSO then he is allowed to login in another application as well. It means application is Single sign on enabled. and its working fine.

Now as a user, i am able to login through drupalapp.something.com using SSO (office 365 azure AD and SAML ). Now after user login being developer, i need to show recent modified SharePoint document from SharePoint online using SharePoint REST query but condition is that, it should fetch only documents on which logged in user has permission to show.

Brief requirement –

The requirements is to be able to make REST queries to SharePoint online but when the REST query is made, the person the query is for must only see the results based on their security context.

So if user1 has access to a SharePoint folder but user2 has not, then when the REST call is made they will each see a different set of results.

Example: user1 has access to abc.sharepoint.com/abcfolder/afile.pdf. User2 does not have access to the folder abc.sharepoint.com/abcfolder/ and so he will not have access to abc.sharepoint.com/abcfolde/afile.pdf.

If some updates this document it becomes a “Latest Update”. User1 will see it in the Latest documents but User2 will not.

I tried using PHPSPO library (https://github.com/vgrem/phpSPO) and it giving me result but this library is giving me result based on admin credential which I pass to connect SharePoint. So this is giving me all the documents regardless of logged in user permission.

How can we achieve this in logged in user context. Considering user is already login through SSO in Drupal application through SSO.

I also tried to make AJAX request with credential query from Drupal app but it always giving me CORS and CORB error. I don’t know if this is right way of solution. Below is code –

var urlval = “https://abc.sharepoint.com/_api/search/query?querytext=’isdocument:1’&selectproperties=’Title,Size,Name,Path,FileExtension’&rowlimit=5&sortlist=’created:descending’&refiners=’fileextension'”;

    $.ajaxSetup({
      xhrFields: {
        withCredentials: true
      }
    });
    
    $.ajax({
      type: 'GET',
      crossDomain: true,
      dataType: 'jsonp',
      url: urlval,
      cache: false,
      headers: {
        "accept": "application/json",
        "Access-Control-Allow-Origin": "https://abc.sharepoint.com",
      },
     
      success: function( response ) {
        console.log( response ); // server response
      }
    });

Please help me to solve this problem.

Thanks

hooks – Sharepoint online search query which is connected through SIMPLESAML SSO (Azure AD IDP) with PHP application

Below is problem description –
I have sharepoint online and its URL is like – https://abc.sharepoint.com

Above sharepoint is connected through SSO (Office 365 Azure AD IDP and SAML)

I have another Drupal 8 application like – https://drupalapp.something.com

It is also connected through same SSO (Office Azure AD and SAML) so that if user login through either of application through SSO then he is allowed to login in another application as well. It means application is Single sign on enabled. and its working fine.

Now as a user, i am able to login through drupalapp.something.com using SSO (office 365 azure AD and SAML ). Now after user login being developer, i need to show recent modified SharePoint document from SharePoint online using SharePoint REST query but condition is that, it should fetch only documents on which logged in user has permission to show.

Brief requirement –

The requirements is to be able to make REST queries to SharePoint online but when the REST query is made, the person the query is for must only see the results based on their security context.

So if user1 has access to a SharePoint folder but user2 has not, then when the REST call is made they will each see a different set of results.

Example: user1 has access to abc.sharepoit.com/abcfolder/afile.pdf. User2 does not have access to the folder abc.sharepoit.com/abcfolder/ and so he will not have access to abc.sharepoit.com/abcfolde/afile.pdf.

If some updates this document it becomes a “Latest Update”. User1 will see it in the Latest documents but User2 will not.

I tried using PHPSPO library (https://github.com/vgrem/phpSPO) and it giving me result but this library is giving me result based on admin credential which I pass to connect SharePoint.

How can i achieve this in logged in user context. Considering user is already login through SSO.

I also tried to make AJAX query from drupalapp but it always giving me CORS error.

Please help me to solve this problem.

Thanks

browser – How can I run a 90’s DOS application online?

I am teaching a class on a very obscure subject and I’ve been given a piece of old software that can help a great deal, under the restriction that I am not to hand it to others.

Currently I am running it on DosBox with automatic folder mount instructions prewritten; but I’ve got to do this every semester for ~100 computers and erase them after the semester is over.

So to save me the trouble I decided to look into running it online (maybe from my hostkoala hosting perhaps), but I don’t know how? How can I make this application run.

There must be a better way!

mobile application – Using GIFs / LottieFiles on the interfaces of the app’s onboarding

So I was wondering if it’s healthy to have a gif or a Lottie file (simple animation) instead of images on my “mobile application onboarding UI”.

Is this even applicable by developers? or is it not possible to add a Lottie file there?

What’s the best practice on that matter?

Check application version in Catalina

I just upgraded to Catalina 10.15.7 coming from High Sierra.

On any previous MacOS release I can press space on any app on app drawer to show application version.

I’m positive they removed it in recent release since I can’t view app version anymore.

Any other method to view app version?

licensing – Can I use a EPL library in closed source commercial application?

I am planning to use the Jakarta ee library which is licensed under EPL v2.0 in my project.
For example using java.xml.bind annotations.

I wonder if that impacts the license of my closed source commercial application? (I assume not since this is not really a derivative work?)

web application – XSS via Ajax request?

I’m currently honing in on my web exploitation skills and came across this JavaScript function here:

 Event.observe(window, 'load', function() {
    new Ajax.Request('/dir/dir', {
      method: 'post',
      parameters: 'actionx3DrefreshAjaxModulex26ampx3BmodIdx3D_1895_1x26ampx3BgroupIdx3D_1_1x26ampx3Bgroup_idx3Dx26ltx3BXSS',', 
      onSuccess: function(transport) {
        try {
          var res = transport.responseXML.getElementsByTagName('x')(0).textContent;
          $('div_1').innerHTML = res.stripScripts();
          page.globalEvalScripts(res,true);
        } catch (e) { 
          $('div_1').innerHTML = 'Failed';
        }
      },
      onFailure: function(transport) {
        $('div_1').innerHTML = 'Fail';
      }
    });
  });

My understanding of the script is that when the page loads, an Ajax POST request will be sent, and if it’s successful, it’ll call the function and try do something but I’m not entirely sure what it’s doing…

I feel like this might be an attack vector, as you can inject values into the parameters field via the URL, except things like <script> are filtered and switched out with <xxxx>. <body onload`=alert(1)> seems to get through unfiltered, but it requires the back tick, which makes the alert not work.

I’m just wondering what other possible payloads there could potentially be, if any? When I inject <XSS (like in the code above) it falls through to the catch statement so I’m not sure if there’s something I can do to make it not cause an exception and pass things through as valid input.

penetration test – Application is validating the file extension but not file content – Is this a security vulnerability?

It is unclear what the expectations on the application are in this case and thus your question can not be answered.

For example if the recipient expects data from untrusted sources anyway, it can be expected that the PDF is checked at the recipient. If the recipient instead expects fully trustable data, then more checks need to be done on the way to the recipient. These might be done in the web application during upload but also might be done at a later stage during delivery.

In other words: you cannot have a look at the application in isolation but must see the bigger picture. From that you can derive the requirements on the application. Only with the actual requirements you can decide if this is a vulnerability in the application or not. And only with the bigger picture it can be determined if and how such a vulnerability could actually be exploited.

Cannot assign requested address in Docker .NET Console client application

I am trying to learn some docker, i managed to setup API image/container and it works fine, I can get response from the API when i’ll go through web browser. However my console client can’t get a request to my API and I am not sure why. The only error i get is Cannot assign requested address in docker CLI.

class Program
{
    static HttpClient client = new HttpClient();
    static string apiUrl = "http://localhost:8080";

    static void Main()
    {
        System.Console.WriteLine("Console started.");
        RunAsync().GetAwaiter().GetResult();
    }

    static async Task RunAsync()
    {
        // Update port # in the following line.
        client.BaseAddress = new Uri("http://localhost:64195/");
        client.DefaultRequestHeaders.Accept.Clear();
        client.DefaultRequestHeaders.Accept.Add(
            new MediaTypeWithQualityHeaderValue("application/json"));

        System.Console.WriteLine(client.BaseAddress);
        
        try
        {
            var value = await GetValueAsync();
        }
}

And the method that generate the error:

static async Task<Value> GetValueAsync()
   {
        Value value = null;

         HttpResponseMessage response = await client.GetAsync(apiUrl + "/value");
         System.Console.WriteLine("TEST");
         if (response.IsSuccessStatusCode)
         {
             value = await response.Content.ReadAsAsync<Value>();
         }
         return value;
    }

Program stops and returns an error on the client.GetAsync line, it never gets to the writeline(“TEST”). Anyone knows what could be the problem? Everything else works until the request. On the request the Cannot assign requested address shows up and stops the container/program.