Re: Viewing web content off-line (Apache) - default Oracle install of self-service

[Konrad Rzeszutek <darnok () 68k org>]

You could use a simple Java Applet that would connect to your srever
(using HTTPS or whatever) get the information and display it. Timeout and
basic authentications would be required, but this scenario would allow the
user only to save the JavaScript, but not the information it contains
(unless one does a screen snapshot).


On Fri, 25 Oct 2002, stef wrote:

> Date: Fri, 25 Oct 2002 05:14:08 -0500
> From: stef <stefmit () starband net>
> To: security-basics () securityfocus com
> Subject: Viewing web content off-line (Apache) - default Oracle install
>     of self-service apps
>
> Hi, all,
>
> A first attempt of mine in posting this was declined by the moderator as
> irrelevant to a security list, so I am trying to reformulate to emphasize the
> fact that the only reason of this post is a security issue: we have started
> deploying Oracle self-services in my company (HR-related "modules", among
> others), based on Oracle 9 as database and Apache as web server. The problem
> is that these applications contain highly confidential data (e.g. salary
> info), and in the areas where the PCs are shared among multiple users, the
> availability of pages saved in the history is of great concern. Here is what
> is happening: after having "visited" the salary information, regardless of
> whether the user exits the application properly, or not, his information is
> available to the next user by simply doing the following:
> - in a browser like Microsoft IE - choose "work offline"
> - choose then the history menu
> - "pick" ("click") on one of the previously visited pages (by other
> employees) --> boom - salary info from previous visitor is available
>
> We are running all this using SSL (obviously in an attempt to avoid the
> damage of traffic sniffing as much as we can) , so we found an easy solution
> being the "tweaking" of the browser in the security options, by checking the
> "Do not save encrypted pages to disk" in the Tools --> Internet options ...
> --> Advanced menu (in the IE). We also have knowlegde on how to do this
> "scripted", such that all the browsers get the change, by using a reg hack
> deployed through the login srcipt, one containing also removal of specific
> rights for regular users changing back this option, BUT I do not think this
> is a proper way of resolving such a security issue. I think that the solution
> should reside on the Apache side, by forcing (somehow) this type of
> "caching"/"history kept" from happening. I know the basics of HTML Metatags
> or Pragmas in regards to expiration of cache, etc. ... but this is not the
> solution I am seeking, as it won't work on dynamically created pages - I
> think there may be a solution using Java bases app(let)s forcing this
> dynamically, such that we could deploy a "hidden" such applet on every
> dynamically created page ....
>
> Sorry for the lengthy posting - in the end the simple question is: has
> anybody been faced with this challenge of self-service-like apps, delivered
> via Apache-based servers? If yes - how did you resolve the security aspects
> such as the one I described above?
>
> Thx,
> Stef