Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 10:06 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
PostPosted: Tue May 12, 2009 6:48 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
I don't know if it's only an issue of mine, but since SVN rev. 1161 LDAP connections aren't saved anymore to DB, although tests are OK.
Just tried to delete and create again my (single) non-secure connection and I wasn't able anymore to add it.
Also, I have to mention that I don't like having php applications launch shell_exec commands from the web server (the function GetAesKey() in include_functions.php executes a 'vol c:' command): to let it run, I had to weaken security on IIS:
- added Network Service RX to the OA root
- added IUSR RX to cmd.exe.

Apart from fixing the saving issue, I'm sure that Nick will find a more secure way to let GetAesKey() run.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Tue May 12, 2009 7:35 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
[quote="ef"]Apart from fixing the saving issue, I'm sure that Nick will find a more secure way to let GetAesKey() run.

Edoardo, I will look at the issues that you PM'ed me, but anyone is free to improve upon what I have coded. I accept your point about running shell commands, but the intention is to tie the encrypted data to the physical environment and I couldn't think of another way of achieving this.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue May 12, 2009 9:54 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
At line 411 of admin_config.php
[code]
<input type='checkbox' id='ldap_connection_use_ssl' onclick='CheckOpenSslStatus();'/>&nbsp;&nbsp;(requires independent configuration of OpenSSL)<br />
[/code]
onclick should run CheckOpenSslStatus(), but I don't see it among other functions in admin_config.js.

Also probably the insert query of admin_config_data.php (defined starting line 272) fails writing to db the new connection because $_GET["ldap_connection_use_ssl"] is null. As a confirmation of this, if I change line 287 to simply
[code]
'0',
[/code]
i.e. disabling ldap over ssl, I'm able to save the new connection.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Tue May 12, 2009 11:38 pm 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
[quote="ef"]onclick should run CheckOpenSslStatus(), but I don't see it among other functions in admin_config.js.

My bad, I didn't include the updated admin_config.js. It's now updated in the latest SVN.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Wed May 13, 2009 1:16 am 
Offline
Contributor

Joined: Fri Jul 28, 2006 6:30 am
Posts: 157
Location: London
OK, SVN 1163 now has better handling of failure to run shell_exec() in getAesKey(). Incidently, the PHP directive "safe_mode_exec_dir" can be used to mitigate some of the security implications of using shell_exec(). Interesting that Apache on Windows doesn't appear to have an issue with shell_exec(), but IIS does (at least on my test box that's the case). Not sure why this is.

_________________
Cheers, Nick.

[size=85]OA Server: Windows Server 2003 / Apache 2
Auditing: 1600 Workstations, 200 Servers
OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Wed May 13, 2009 3:43 am 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Fine, I will test it tomorrow morning: it's better to me having credentials on my local db encrypted with a weak password instead of letting the web service run cmd.exe.
Regarding shell_exec, probably apache.exe/httpd.exe processes run in a security context with enough privileges to run cmd.exe: IIS 6 Application Pools instead run as the least privileged Network Service (hidden) built-in account and anonymous web requests are impersonated by IIS using the IUSR_machinename account (member of the Guests group). So, at least in this case, we can say that IIS is by default more secure than Apache.
Thank you for your efforts.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Wed May 13, 2009 5:12 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
OK, it works fine for me.

_________________
Edoardo


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group