Security Basics mailing list archives
Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps
From: stef <stefmit () starband net>
Date: Mon, 28 Oct 2002 13:06:34 -0600
Thank you - but the point I was trying to make was that a browser solution relies on clients keeping the setup/configuration as such. A sophisticated user could easily change that back to defaults, or whatever else (or even the reg key disabling access to the Advanced tab ... as it is a simple HKEY_USER entry), and take advantage of the other users sharing that PC, leaving traces of their visits. This is why I was looking into a server-based solution. Speaking of server-based solution I actually came across something I was going to try: mod_headers and mod_expires in Apache - presumably able to handle the needed cache-control in http (the application-layer protocol), rather than in HTML (which would have been very messy ... as I initially mentioned in my post, because of the zillion templates needed to have the HTML code appended with appropriate Pragmas or Metatags) ... but the problem with this approach (mod_xxx) is that the Apache is delivered by Oracle in binary form, thus less lilkely to be able to get the source and recompile the needed modules ... I am still looking, though. Thx, Stef On Monday 28 October 2002 12:57 pm, you wrote:
In IE : Tools\Internet Options\ Choose Settings in Temporary Internet File panel and checked every time you visit page. It seems to solve the problem ----- Original Message ----- From: "stef" <stefmit () starband net> To: <security-basics () securityfocus com> Sent: Friday, October 25, 2002 11:14 AM Subject: Viewing web content off-line (Apache) - default Oracle install of self-service appsHi, all, A first attempt of mine in posting this was declined by the moderator as irrelevant to a security list, so I am trying to reformulate to emphasizethefact that the only reason of this post is a security issue: we havestarteddeploying Oracle self-services in my company (HR-related "modules", among others), based on Oracle 9 as database and Apache as web server. Theproblemis that these applications contain highly confidential data (e.g. salary info), and in the areas where the PCs are shared among multiple users, the availability of pages saved in the history is of great concern. Here iswhatis happening: after having "visited" the salary information, regardless of whether the user exits the application properly, or not, his informationisavailable to the next user by simply doing the following: - in a browser like Microsoft IE - choose "work offline" - choose then the history menu - "pick" ("click") on one of the previously visited pages (by other employees) --> boom - salary info from previous visitor is available We are running all this using SSL (obviously in an attempt to avoid the damage of traffic sniffing as much as we can) , so we found an easysolutionbeing the "tweaking" of the browser in the security options, by checkingthe"Do not save encrypted pages to disk" in the Tools --> Internet options...--> Advanced menu (in the IE). We also have knowlegde on how to do this "scripted", such that all the browsers get the change, by using a reg hack deployed through the login srcipt, one containing also removal of specific rights for regular users changing back this option, BUT I do not thinkthisis a proper way of resolving such a security issue. I think that thesolutionshould reside on the Apache side, by forcing (somehow) this type of "caching"/"history kept" from happening. I know the basics of HTMLMetatagsor Pragmas in regards to expiration of cache, etc. ... but this is not the solution I am seeking, as it won't work on dynamically created pages - I think there may be a solution using Java bases app(let)s forcing this dynamically, such that we could deploy a "hidden" such applet on every dynamically created page .... Sorry for the lengthy posting - in the end the simple question is: has anybody been faced with this challenge of self-service-like apps,deliveredvia Apache-based servers? If yes - how did you resolve the securityaspectssuch as the one I described above? Thx, Stef
Current thread:
- Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Message not available
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Johan De Meersman (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 30)
- [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 31)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Ryan Parr (Oct 29)
- Message not available
- <Possible follow-ups>
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 31)