RE: Security using Apache module

["Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>]

Servlet in Box1 could forward requests to Box2, not redirection but
forwarding.  The request will send all headers, even Querystring/Post
variables. So why not make a servlet to authenticate in Box1 and after
that forward the request to box2, user will never notice he/she is
leaving box1.

Regards,
JC


-----Original Message-----
From: stevenr () mastek com [mailto:stevenr () mastek com]
Sent: Miércoles, 17 de Marzo de 2004 11:45 p.m.
To: webappsec () securityfocus com
Subject: Security using Apache module


Hi all
 
I just wanted to bounce an idea off you folks on this mailing list.
 
I have a web based J2EE application hosted on one box(Box1)  and a
web-based report-generating server on another box (Box2). Both Box1 and
Box2 talk to a common DB. A user logs into Box1 and is authenticated and
the server stores a session id in a cookie. Then a link from the
application points to Box2 and fetches a dynamically-generated report in
PDF format by passing  required parameters in the URL to Box2.
 
Problem: 
There is no session-related connection from Box1 and Box2. The reports
application is a 3rd party tool, the only common point between the two
boxes being that they talk HTTP using the Apache server ( version 1.3,
fyi ). So it is possible for a user to craft the URL pointing to Box2
and circumvent Box1 altogether.
 
Though there are several ways to get across this, I was thinking on the
lines of creating a "mod" embedded in Apache in Box2, just like
mod_security, which searches for a cookie (that is set only if
authenticated from Box1 and cookie is stored in DB), and then does a
check before Box2 replies to the request. I chose this approach since
all the webservers are going to be Apache and I can resuse the mod for
further applications, but I have not written modules before :(
 
The module could probably have some code like
 
1. get cookie from headers
2. query db for this cookie value in the DB
3. If OK, then allow request, else return 403  
 
Probably the cookie could be hashed etc (to prevent an attacker from
creating one on his/her own)  and a check could be made to prevent
SQL-injection type attacks (since it is being used in a query) 
 
Can you folks help me out on this...Let me know if any more info is
required.
 
a. How easy/difficult is it to write mods in Apache? Any links/sites
welcome.
b. Any apparent holes in this approach ?
c. Is there going to be a significant performance hit for such a mod in
Apache (assuming that code is tuned and well written)?
d. For those who have worked on it, can mod_security be used to resolve
this issue ?
e. And lastly, anyone has a better idea ?
 
 
Thanks in advance for any inputs, guys/gals. 
 
Regards, 
Steven Rebello


 


MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not
that of Mastek Limited, unless specifically indicated to that effect.
Mastek Limited does not accept any responsibility or liability for it.
This e-mail and attachments (if any) transmitted with it are
confidential and/or privileged and solely for the use of the intended
person or entity to which it is addressed. Any review, re-transmission,
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. This e-mail and its attachments have been
scanned for the presence of computer viruses. It is the responsibility
of the recipient to run the virus check on e-mails and attachments
before opening them. If you have received this e-mail in error, kindly
delete this e-mail from all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attachment: smime.p7s
Description: