Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps

From: Ryan Parr (ryanparr@thejamescompany.com)
Date: 10/29/02 

From: "Ryan Parr" <ryanparr@thejamescompany.com>
To: "stef" <stefmit@starband.net>, <security-basics@securityfocus.com>
Date: Mon, 28 Oct 2002 20:24:33 -0800

If the Apache binary delivered with Oracle was compiled with DSO (httpd -l
to see the list) then you can use APXS to compile the modules, and they will
install themselves. More info at http://httpd.apache.org.

If not, is it compiled with Oracle mod_* additions which are not freely
available? If not, then just build your own Apache and drop it in.

IMHO your best bet would be one of the Authen/Authz handler combinations. It
sounds like you have all your users under non-authenticated Windows
sessions, which leaves your options limited. If you had NTLM authenticated
users then you could easily implement that protocol, and authenticate users
against your PDC/BDC's. Then you could hook into the Authz phase, and make
sure that people were only able to get what's their's. At least, that's how
I did it with our intranet. No Oracle, but sensitive data served to scores
of people, all needing something different depending on their position in
the company. I'm using Apache, mod_perl, Apache::AuthenNTLM, FreeBSD, and
DBD::Sybase to authorize a user against our MSSQL employee database.

----- Original Message -----
From: "stef" <stefmit@starband.net>
To: <security-basics@securityfocus.com>
Sent: Monday, October 28, 2002 11:06 AM
Subject: Re: Viewing web content off-line (Apache) - default Oracle install
of self-service apps

> Thank you - but the point I was trying to make was that a browser solution
> relies on clients keeping the setup/configuration as such. A sophisticated
> user could easily change that back to defaults, or whatever else (or even
the
> reg key disabling access to the Advanced tab ... as it is a simple
HKEY_USER
> entry), and take advantage of the other users sharing that PC, leaving
traces
> of their visits. This is why I was looking into a server-based solution.
>
> Speaking of server-based solution I actually came across something I was
> going to try: mod_headers and mod_expires in Apache - presumably able to
> handle the needed cache-control in http (the application-layer protocol),
> rather than in HTML (which would have been very messy ... as I initially
> mentioned in my post, because of the zillion templates needed to have the
> HTML code appended with appropriate Pragmas or Metatags) ... but the
problem
> with this approach (mod_xxx) is that the Apache is delivered by Oracle in
> binary form, thus less lilkely to be able to get the source and recompile
the
> needed modules ... I am still looking, though.
>
> Thx,
> Stef
>
> On Monday 28 October 2002 12:57 pm, you wrote:
> > In IE : Tools\Internet Options\
> > Choose Settings in Temporary Internet File panel and checked every time
you
> > visit page.
> >
> > It seems to solve the problem
> >
> > ----- Original Message -----
> > From: "stef" <stefmit@starband.net>
> > To: <security-basics@securityfocus.com>
> > Sent: Friday, October 25, 2002 11:14 AM
> > Subject: Viewing web content off-line (Apache) - default Oracle install
of
> > self-service apps
> >
> > > Hi, all,
> > >
> > > A first attempt of mine in posting this was declined by the moderator
as
> > > irrelevant to a security list, so I am trying to reformulate to
emphasize
> >
> > the
> >
> > > fact that the only reason of this post is a security issue: we have
> >
> > started
> >
> > > deploying Oracle self-services in my company (HR-related "modules",
among
> > > others), based on Oracle 9 as database and Apache as web server. The
> >
> > problem> >
> >
> > > is that these applications contain highly confidential data (e.g.
salary
> > > info), and in the areas where the PCs are shared among multiple users,
> > > the availability of pages saved in the history is of great concern.
Here
> > > is
> >
> > what

> > > is happening: after having "visited" the salary information,
regardless
> > > of whether the user exits the application properly, or not, his
> > > information
> >
> > is
> >
> > > available to the next user by simply doing the following:
> > > - in a browser like Microsoft IE - choose "work offline"
> > > - choose then the history menu
> > > - "pick" ("click") on one of the previously visited pages (by other
> > > employees) --> boom - salary info from previous visitor is available
> > >
> > > We are running all this using SSL (obviously in an attempt to avoid
the
> > > damage of traffic sniffing as much as we can) , so we found an easy
> >
> > solution
> >
> > > being the "tweaking" of the browser in the security options, by
checking
> >
> > the
> >
> > > "Do not save encrypted pages to disk" in the Tools --> Internet
options
> >
> > ...
> >
> > > --> Advanced menu (in the IE). We also have knowlegde on how to do
this
> > > "scripted", such that all the browsers get the change, by using a reg
> > > hack deployed through the login srcipt, one containing also removal of
> > > specific rights for regular users changing back this option, BUT I do
not
> > > think
> >
> > this
> >
> > > is a proper way of resolving such a security issue. I think that the
> >
> > solution
> >
> > > should reside on the Apache side, by forcing (somehow) this type of
> > > "caching"/"history kept" from happening. I know the basics of HTML
> >
> > Metatags
> >
> > > or Pragmas in regards to expiration of cache, etc. ... but this is not
> > > the solution I am seeking, as it won't work on dynamically created
pages
> > > - I think there may be a solution using Java bases app(let)s forcing
this
> > > dynamically, such that we could deploy a "hidden" such applet on every
> > > dynamically created page ....
> > >
> > > Sorry for the lengthy posting - in the end the simple question is: has
> > > anybody been faced with this challenge of self-service-like apps,
> >
> > delivered
> >
> > > via Apache-based servers? If yes - how did you resolve the security
> >
> > aspects
> >
> > > such as the one I described above?
> > >
> > > Thx,
> > > Stef
>

Relevant Pages

  • [CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps
    ... > the HTTP headers, even though not necessarily forced to go by Pragmas ... > much easier to modify configuration files for Apache in one single place ... > possible HTML templates Oracle delivers with their products (the HTML ...
    (Security-Basics)
  • Fw: [apache-br] extension no RH9
    ... I installed Oracle 9i and it's working perfectly. ... Hardly, searching on the web, I could compile the oracle.so module using the ... > Estou com o Oracle 9i instalado e funcionando corretamente sendo acessado ... > APACHE e nem pelo PHP. ...
    (php.general)
  • Re: Is it possible to switch to Apache2 with Oracle 9i?
    ... > Oracle installation installs Jserv and Apache 1.3x. ...
    (comp.databases.oracle.server)
  • Re: OCI8 install
    ... >I just installed Apache 1.3/PHP 5 on my Windows XP compy. ... Now I want to get the interface to Oracle 9 installed. ... If you did a straightforward installation then the usual thing to watch for is ... Apache. ...
    (comp.lang.php)
  • Re: Unable to browse after Oracle 9i Installation
    ... As it's an Oracle Authorisation Issue an Oracle newsgroup would be the ... if the Apache install has ... hijacked the IE settings the Apache newsgroups would be the place to ...
    (microsoft.public.backoffice.smallbiz)