[thelist] Are there any security leaks of HTC's

VOLKAN ÖZÇELİK volkan.ozcelik at gmail.com
Wed Jun 1 15:42:44 CDT 2005 

Actually what I meant is different. I could't fully express it, sorry.

Let me start step by step.

1. we use HTC's as a means of async connection to server.
2. only authanticated users can use those htcs, if the user does not
provide correct
credentials, he is redirected to a "session closed - reason undefined"
sort of page.
3.
Here is our general framework.

user  ->*  JSP   -> HTC  ->  Servlet  -> EJB  ->*  Database

legend:
-> indicates a call being made. (no authentication)
->* this connection requires authentication. either an exception thrown or user
is redirected to another page if credentials are invalid (we use a
user object stored as a session variable for authentication, username
password is requsted only once)

So we check user integrity at two points.
1. user calling the jsp
2. the EJB requsting data from DB (i.e. each request to db is authenticated)

Now the interesting part:

Yesterday we have been seriously *hacked*.
(A critical table has been "dropped")

Our router does not have a log program, so we cannot find after which
HTTP connections this had happend. (we plan to install one ASAP).

We just know the time of hack. And we are sure that it is not a threat
from inside.
(At that time only our DBA and a colleague was at the building, they detected
the table being dropped totally by change)

We have declared red alam, investigate and suspect everyting.

More;

The guy(or gal I don't know) at least knows database well
(he killed 5-6 processes running before dropping the table)
He detected the only user account with the sa role (and impersonated to use it)
(yes I know it's a BIG BIG BIG SECURITY MISTAKE, and it's fixed forever.)
Telnetting will be refused by pix(the firewall). Remote connection is
disabled etc.
The only open port to outside world is HTTP 80. 
So we highly suspect that it's through the web interface. 

I suspect that s/he sniffed the connection to get user&pass. The
credentials are sent
through HTTP post with no encryption.

And I suspect it can be due a hack using the HTC.

Let me go back to the chart:

user ->*(1)  JSP   ->(2) HTC  ->(3)  Servlet ->(4) EJB ->*(5)  Database

If the user finds a way to directly communiacate with the HTC
while keeping the session open after authenticating at step 1(assuming
that he has stolen the sa password): He can send any SQL call to the
servlet
(it's somewhat more complex, but theoretically possible, I'll not go
to details to deviate from the topic.)

Sorry for this much introduction.

In conclusion I have two basic questions:

1. is it possible (with a tool, with a hack, by using a security leak
etc) to communicate directly to the HTC file, bypassing the browser;
and without losing the browser session.

2. We play with money. 
So
* Shall we install SSL to the login process.
or
* Shall we install SSL throughout the entire process to secure our connection.

3. Shall I blame the DBA of hacking the system :) (since she was there
at that time)

The management set me and 3 other colleagues responsible for the
security policy and I have to quickly and proactively decide and
implement things, before the naughty guy strikes us back again.

Your responses are really and highly appreciated.

Thank you,
Volkan.



On 6/1/05, Mark Groen <markgroen at gmail.com> wrote:
> ----- Original Message -----
> From: "VOLKAN ÖZÇELIK" <>
> To: <thelist at lists.evolt.org>
> Sent: Wednesday, June 01, 2005 9:04 AM
> Subject: [thelist] Are there any security leaks of HTC's
> 
> 
> Hi everyone,
> 
> Do you have any web site / reference on the security leaks of
> Microsoft's (sigh) "HTC components" ?
> 
> I've googled around but couldn't find any satisfactory answer.
> 
> Are there / have you experienced any security leaks (I've heard that
> there are, but cannot find anything) or are they innoncent ?
> 
> You may be googling for the wrong term as htc is used for a lot of acronyms.
> Try DHTML security instead.
> 
> (February 15, 2005)
> http://www.microsoft.com/technet/security/Bulletin/MS05-013.mspx
> 
> For myself, I keep up with the patches from M$, (still using Win98,
> happily), so javascript holes aren't a concern. Some clients want their
> png's and hovers to work, and htc gives you access through javascript to css
> behaviors and image filtering that you can't get otherwise for IE.
> 
> I'm thinking the answer is: yes, if you aren't patched and using IE then you
> could be abused.
> 
> hth!
> 
> cheers,
> 
>        Mark
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>

More information about the thelist mailing list