Security Basics mailing list archives
Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps
From: "Pablo Gietz" <pablo.gietz () nuevobersa com ar>
Date: Tue, 29 Oct 2002 14:21:50 -0300
You should encrypt the output from apache server, redirecting ports, and develop a personal browser that decrypt the pages "only for your eyes", making no chache of anything. Pablo A. C. Gietz Jefe de Seguridad Informática Nuevo Banco de Entre Ríos S.A. Te.: 0343 - 4201351 ----- Original Message ----- From: "stef" <stefmit () starband net> To: <security-basics () securityfocus com> Sent: Friday, October 25, 2002 7:14 AM Subject: Viewing web content off-line (Apache) - default Oracle install of self-service apps
Hi, all, A first attempt of mine in posting this was declined by the moderator as irrelevant to a security list, so I am trying to reformulate to emphasize
the
fact that the only reason of this post is a security issue: we have
started
deploying Oracle self-services in my company (HR-related "modules", among others), based on Oracle 9 as database and Apache as web server. The
problem
is that these applications contain highly confidential data (e.g. salary info), and in the areas where the PCs are shared among multiple users, the availability of pages saved in the history is of great concern. Here is
what
is happening: after having "visited" the salary information, regardless of whether the user exits the application properly, or not, his information
is
available to the next user by simply doing the following: - in a browser like Microsoft IE - choose "work offline" - choose then the history menu - "pick" ("click") on one of the previously visited pages (by other employees) --> boom - salary info from previous visitor is available We are running all this using SSL (obviously in an attempt to avoid the damage of traffic sniffing as much as we can) , so we found an easy
solution
being the "tweaking" of the browser in the security options, by checking
the
"Do not save encrypted pages to disk" in the Tools --> Internet options
...
--> Advanced menu (in the IE). We also have knowlegde on how to do this "scripted", such that all the browsers get the change, by using a reg hack deployed through the login srcipt, one containing also removal of specific rights for regular users changing back this option, BUT I do not think
this
is a proper way of resolving such a security issue. I think that the
solution
should reside on the Apache side, by forcing (somehow) this type of "caching"/"history kept" from happening. I know the basics of HTML
Metatags
or Pragmas in regards to expiration of cache, etc. ... but this is not the solution I am seeking, as it won't work on dynamically created pages - I think there may be a solution using Java bases app(let)s forcing this dynamically, such that we could deploy a "hidden" such applet on every dynamically created page .... Sorry for the lengthy posting - in the end the simple question is: has anybody been faced with this challenge of self-service-like apps,
delivered
via Apache-based servers? If yes - how did you resolve the security
aspects
such as the one I described above? Thx, Stef
Current thread:
- Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Message not available
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Johan De Meersman (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 30)
- [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 31)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps stef (Oct 28)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Ryan Parr (Oct 29)
- Message not available
- <Possible follow-ups>
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 29)
- Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps Chris Berry (Oct 31)