Skip to Content
Last modified by Pascal Robert on 2010/09/13 00:22
From version 7.1
edited by Pascal Robert
on 2010/09/13 00:22
Change comment: There is no comment for this version
To version 8.1
edited by Pascal Robert
on 2010/09/13 00:22
Change comment: There is no comment for this version

Summary

Details

Page properties
Parent
... ... @@ -1,0 +1,1 @@
1 +How-tos
Content
... ... @@ -1,7 +1,7 @@
1 1  == Encrypted Passwords ==
2 2  
3 3  Kieran Kelleher has written an excellent article on his blog about performing encryption on an EO attribute via a custom attribute:
4 -[[http://homepage.mac.com/kelleherk/iblog/C729512539/E2033071041/index.html]]
4 + [[http:~~/~~/homepage.mac.com/kelleherk/iblog/C729512539/E2033071041/index.html>>url:http://homepage.mac.com/kelleherk/iblog/C729512539/E2033071041/index.html||shape="rect"]]
5 5  
6 6  == Security Considerations ==
7 7  
... ... @@ -18,53 +18,53 @@
18 18  
19 19  === The CGI adaptor application listing ===
20 20  
21 -[[http://$HOSTNAME/cgi-bin/WebObjects/]]
21 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/
22 22  
23 23  Set username and password for the application listing.
24 24  
25 25  === The web server resources listing ===
26 26  
27 -[[http://$HOSTNAME/WebObjects/]]
27 +http:~/~/$HOSTNAME/WebObjects/
28 28  
29 29  Don't allow directory browsing on your web server, otherwise users will be able to see all of your web server resources, and learn the names of all of your applications and frameworks that contain web server resources.
30 30  
31 31  === The wotaskd config page (WO >~= 4.5) ===
32 32  
33 -[[http://$HOSTNAME:1085/cgi-bin/WebObjects/wotaskd.woa/wa/woconfig]]
33 +http:~/~/$HOSTNAME:1085/cgi-bin/WebObjects/wotaskd.woa/wa/woconfig
34 34  
35 35  The port 1085 should not be allowed through the firewall.
36 36  
37 37  === The Monitor ===
38 38  
39 -[[http://$HOSTNAME/cgi-bin/WebObjects/Monitor]]
39 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/Monitor
40 40  
41 41  Monitor should be unavailable, or at least password protected.
42 42  
43 43  === The xyzzy default page ===
44 44  
45 -[[http://$HOSTNAME/cgi-bin/WebObjects/xyzzy]]
45 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/xyzzy
46 46  
47 47  The name/password for the xyzzy page should be changed.
48 48  
49 49  === The WOStatisticsStore default page ===
50 50  
51 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOStats]]
51 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOStats
52 52  
53 53  The statistics page should be protected by a password (or off).
54 54  
55 55  === The WOEventDisplay default page (WO >~= 4.5) ===
56 56  
57 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay]]
57 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOEventDisplay
58 58  
59 59  The events page should be be protected by a password (or off).
60 60  
61 61  === The WOEventSetup default page ===
62 62  
63 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOEventSetup]]. See [[EventCenterConcepts>>http://developer.apple.com/legacy/mac/library/documentation/DeveloperTools/Reference/WO541Reference/com/webobjects/eocontrol/concepts/EOEventCenterConcepts.html]]
63 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/WOEventSetup. See [[EventCenterConcepts>>url:http://developer.apple.com/legacy/mac/library/documentation/DeveloperTools/Reference/WO541Reference/com/webobjects/eocontrol/concepts/EOEventCenterConcepts.html||shape="rect"]]
64 64  
65 65  === You can invoke a WOComponent directly if you know its name ===
66 66  
67 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wo/$COMPONENTNAME.wo]]
67 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wo/$COMPONENTNAME.wo
68 68  
69 69  This can be used to navigate a site in ways not otherwise explictly allowed. In addition, a number of WOComponents with well-known names are included in the WebObjects frameworks, and are thus accessible in any WebObjects application.
70 70  
... ... @@ -72,11 +72,11 @@
72 72  
73 73  === You can invoke a DirectAction if you know its name ===
74 74  
75 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/$DIRECTACTIONNAME]]
76 -[[http://$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/$DIRECTACTIONCLASSNAME/$DIRECTACTIONNAME]]
75 +http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/$DIRECTACTIONNAME
76 + http:~/~/$HOSTNAME/cgi-bin/WebObjects/$APPNAME.woa/wa/$DIRECTACTIONCLASSNAME/$DIRECTACTIONNAME
77 77  
78 78  If someone has access to your application, then he can call any direct action he wants by using the URL above. If the DirectAction name exists, it will be called. If it does not exist, an error is thrown (which should be caught). A DirectAction that should not be randomly accessed should be secured.
79 -If your application displays user-entered text into the HTML stream, it may be possible for them to insert a <WEBOBJECT>; tag to display a component that otherwise wouldn't be displayed.
79 + If your application displays user-entered text into the HTML stream, it may be possible for them to insert a <WEBOBJECT>; tag to display a component that otherwise wouldn't be displayed.
80 80  
81 81  This is tricky - the attacker would need to know the name of an existing webobject, and even then they wouldn't be able to override the parameters in the binding (.wod) file.
82 82  
... ... @@ -91,8 +91,8 @@
91 91  * If you use the file upload component make sure you have the web server configured to disallow uploads over a certain size, otherwise your web/app server/adaptor/application can easily be denial-of-serviced (verb?) by uploading a large block of data.
92 92  * If you implement user/password security at the application level - eg, by having a login panel on the Main page - consider overriding a global part of the request handling (such as session.appendToResponse) to check it's set on every request. Otherwise it's just too easy to sneak into your app via an accidental backdoor.
93 93  * You can use web server authentication and check the headers on every request in somewhere like application.handleRequest - that way no unauthorised request can ever get processed by your app. If you want to be really careful, you could recompile the Adaptor to check these headers and not even pass the request to the applications.
94 -Don't forget about the security implications of any direct actions you may have available in your application.
94 + Don't forget about the security implications of any direct actions you may have available in your application.
95 95  
96 96  You probably also want to check that your application server(s) and your database server's service ports are not open to the public internet. Normally, you only need 80 and 443 to the web server as the only communication (there are exceptions: You might want to allow 22 as well, for SSH administration,and perhaps even 21 for FTP access to some of the pages, etc.)
97 97  
98 -And all other normal server internet connection precautions... [[http://www.w3.org/Security/Faq/]]
98 +And all other normal server internet connection precautions... [[http:~~/~~/www.w3.org/Security/Faq/>>url:http://www.w3.org/Security/Faq/||shape="rect"]]