[CLOSED]Viewing web content off-line (Apache) - default Oracle install of self-service apps
From: stef (stefmit@starband.net)Date: 10/30/02
- Previous message: phani@myrealbox.com: "Re: Sniffing Howto"
- In reply to: stef: "Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps"
- Next in thread: Ryan Parr: "Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: stef <stefmit@starband.net> To: security-basics@securityfocus.com Date: Wed, 30 Oct 2002 15:59:28 -0600
Finally figured it out myself:
- Oracle apache binary comes with the mod_expires and mod_headers
precompiled. All I had to do in the end was to enable them in the
configuration file, to find that they worked just fine - a very nice document
explaining how to do that is here:
http://linux.oreillynet.com/lpt/a/1424
Once having done that, no client is able to try to work offline and still
read previously cached info --> security issue at the client level addressed!
Thx to everyone for all the suggestions - and thank you to the moderator for
letting this go through, even though so vendor specific.
Stef
On Wednesday 30 October 2002 08:43 am, stef wrote:
> EXACTLY!! But here is my hope: according to the standards, all browsers
> developed by HTTP1.1 standard are forced to abide by the requirements in
> the HTTP headers, even though not necessarily forced to go by Pragmas
> and/or Metatags (which are HTML "enforcers", instead) ... this is the
> difference I count on: HTTP vs. HTML. Besides the obvious fact that it is
> much easier to modify configuration files for Apache in one single place
> (for the HTTP solution, if you wan to call it as such), vs. modifying all
> possible HTML templates Oracle delivers with their products (the HTML
> solution). The drawback? Apache comes in binary form from Oracle, for the
> HP-UX platform, and does not use the "standard" httpd.conf ... so I am
> digging up the non-documented apache workings right now.
>
> And - to stay on the topic of this forum - my initial question was: really
> nobody has been presented with this security issue, taking into account the
> vast deployment of Oracle with Apachem, as well as Oracle apps, throughout
> the world?!?
>
> Thx again to all who replied,
> Stef
>
> On Tuesday 29 October 2002 04:13 am, Johan De Meersman wrote:
> > The way I understand what you're trying to do, all you need is to send
> > http-headers 'Expires: now' and/or 'Nochache'. I'm not sure about the
> > exact syntax (have a look at the http rfc), but your server-side
> > application should be able to handle this easily. However, whatever
> > server-side pragmas you implement, you'll always be depending on the
> > client browser to accurately interpret them.
- Previous message: phani@myrealbox.com: "Re: Sniffing Howto"
- In reply to: stef: "Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps"
- Next in thread: Ryan Parr: "Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
