Thursday

Alloy/Deny Directives Ignored

Just a quick note to you let you know about a potential security vulnerability when you are using Oracles Webcache and HTTP server on the same server. Note 263943.1,
contains all of the details but in a nutshell instead of the client ip address being passed to the http server, webcache passes its ip address. Thus certain Allow/Deny rules that you may have setup in your httpd.conf file may not work as expected.

For example from the application server httpd.conf file:


<location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost myserver.mydomain myserver
</location>



The server status page contains some useful information to aid in troubleshooting performance problems with the application server (see note 280165.1). It contains information that you would not want potential crackers to see such as the servers version and requests currently in progress.

As you can see from the Deny, Allow entries above we only want requests from the localhost or myserver (myserver==localhost) to gain access. However, since webcache is on the same server it is passing the server IP addresses instead of the client. Thus the HTTP server believes every request is from a local client and grants access. Obviously, this is not the intended effect.

This is just one example and if you are relying on Allow/Deny rules to restrict access to certain parts of your applications, then you may be exposing more than you think.

The solution is to change the parameter UseWebCacheIp to ON in the Oracle HTTP Sever httpd.conf file and restart it. Please see note 263943.1 for versions affected and patchlevels required before making this change.

I am not sure why this parameter isn't enabled by default and I can't think of a reason as to why not. However, I am new to supporting a standalone application server and there must be a reason otherwise Oracle would have it enabled. Do you know of one? If so, please leave a comment.

3 comments:

College guy said...

Setting it to ON will allow me to spoof my IP address if I, as a client, can access the Oracle HTTP server directly, i.e. without going through the web cache.

How this comes about is explained here: http://download.oracle.com/docs/cd/B15897_01/web.1012/b14007/netconf.htm#CHDCHIEI

Unknown said...

Hey, yes you are right, depending on your setup clients may be able to spoof their IP address. Thanks for the link!

Jonas Zanon said...

Hello,

this helped me a lot today.
Thanks for that.
I'm also not sure why is not enable by default.
Thanks again!