RE: Security using Apache module

[<stevenr () mastek com>]

Hi all

I have indeed got a host of ideas from all the replies here. Since quite
a few have mentioned closing Box2 access other than from Box1, I would
like to clarify about this. The 3rd party tool hosted on Box2 requires
direct connection to the client browser as the (#$%#$^$) server
generates a response depending on the type of User Agent accessing it.
If I use mod_proxy or a servlet wrapper as some suggested, I am unsure
of how the tool will behave. Also no proper documentation is available
about if it uses any other headers( nothing unusual about this I guess
;) ), so I cant risk putting in a User Agent header myself.


Regards, 
Steven Rebello 


-----Original Message-----
From: chorn () chorn com [mailto:chorn () chorn com] 
Sent: Thursday, March 18, 2004 8:15 PM
To: Steven Rebello
Cc: webappsec () securityfocus com
Subject: Re: Security using Apache module

On 2004/03/18 11:15:16 +0530, stevenr () mastek com wrote:

> I have a web based J2EE application hosted on one box(Box1)  and a 
> web-based report-generating server on another box (Box2). Both Box1 
> and
> Box2 talk to a common DB. A user logs into Box1 and is authenticated 
> and the server stores a session id in a cookie. Then a link from the 
> application points to Box2 and fetches a dynamically-generated report 
> in PDF format by passing  required parameters in the URL to Box2.
>  
> Problem: 
> There is no session-related connection from Box1 and Box2. The reports

> application is a 3rd party tool, the only common point between the two

> boxes being that they talk HTTP using the Apache server ( version 1.3,

> fyi ). So it is possible for a user to craft the URL pointing to Box2 
> and circumvent Box1 altogether.

Writing an apache module to prevent this seems like a lot of extra work.
Since Box2 is also running Apache, why not just limit access to Box1?
Depending on how the report software is accessed, you could limit only
access to that.

In .htaccess or <Directory> block:

Order deny,allow
Deny from all
Allow from Box1




MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically 
indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and 
attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended 
person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any 
action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This 
e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the 
recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in 
error, kindly delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~