Security Basics mailing list archives
Viewing web content off-line (Apache) - default Oracle install of self-service apps
From: stef <stefmit () starband net>
Date: Fri, 25 Oct 2002 05:14:08 -0500
Hi, all, A first attempt of mine in posting this was declined by the moderator as irrelevant to a security list, so I am trying to reformulate to emphasize the fact that the only reason of this post is a security issue: we have started deploying Oracle self-services in my company (HR-related "modules", among others), based on Oracle 9 as database and Apache as web server. The problem is that these applications contain highly confidential data (e.g. salary info), and in the areas where the PCs are shared among multiple users, the availability of pages saved in the history is of great concern. Here is what is happening: after having "visited" the salary information, regardless of whether the user exits the application properly, or not, his information is available to the next user by simply doing the following: - in a browser like Microsoft IE - choose "work offline" - choose then the history menu - "pick" ("click") on one of the previously visited pages (by other employees) --> boom - salary info from previous visitor is available We are running all this using SSL (obviously in an attempt to avoid the damage of traffic sniffing as much as we can) , so we found an easy solution being the "tweaking" of the browser in the security options, by checking the "Do not save encrypted pages to disk" in the Tools --> Internet options ... --> Advanced menu (in the IE). We also have knowlegde on how to do this "scripted", such that all the browsers get the change, by using a reg hack deployed through the login srcipt, one containing also removal of specific rights for regular users changing back this option, BUT I do not think this is a proper way of resolving such a security issue. I think that the solution should reside on the Apache side, by forcing (somehow) this type of "caching"/"history kept" from happening. I know the basics of HTML Metatags or Pragmas in regards to expiration of cache, etc. ... but this is not the solution I am seeking, as it won't work on dynamically created pages - I think there may be a solution using Java bases app(let)s forcing this dynamically, such that we could deploy a "hidden" such applet on every dynamically created page .... Sorry for the lengthy posting - in the end the simple question is: has anybody been faced with this challenge of self-service-like apps, delivered via Apache-based servers? If yes - how did you resolve the security aspects such as the one I described above? Thx, Stef
Current thread:
- Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Message not available
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Johan De Meersman (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 30)
- [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 31)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Ryan Parr (Oct 29)
- Message not available
- <Possible follow-ups>
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 31)