This post is more than 5 years old
74 Posts
0
8218
Is it safe to use the web portal on internet?
Today I was attended by one of our web developers. He took a look at the source code of the vworkspace portal.
He said he was shocked to see that the login page contained so much extra information.
He could adjust all kinds of settings using javascript. He also saw some interesting things about changing passwords and lots of other stuff that could attract hackers.
All this without being logged in. So any guest internet user could do this.
You would expect a web portal, that is connected to the internet, to provide only a very basic login page without any other things that can be changed.
A normal user wouldn't care, but hackers do like this information. If a hacker sees java code to change passwords, that is something he would give a closer look.
So my question is: Is it really safe to use the web portal on internet without being hacked?
rene11
74 Posts
1
December 1st, 2010 07:00
Hello Patrick,
I think you miss my point, and maybe that even scares me more.
There is nothing wrong with the topology. Sure, all ports are closed, SSL is being used and they can only come in on port 443. The weakest link here is there is too much information in the public login page. Inside the HTML source you can see all kinds of input boxes, password dialogs and settings. A hacker can use these to try some sql injection methods or buffer overruns or other exploits. Maybe the code prevents this, maybe not, but you shouldn't give a way so much information to possible hackers.
If a developer forgets to check one of the (hidden) inputboxes, a hacker may find nice things to do with that. Now, I'm sure the default username/password boxes are checked for all wellknown exploits, but because you present so much information in the HTML source, he may also try the change password function. It's completely in the source, even if we disable this function.
Our conclusion: The webportal needs some code cleanups.It's currenlty not safe, or at least gives away too much information for possible exploits/hacks.
timkos
19 Posts
0
November 25th, 2010 20:00
Hi,
I share your sentiments!
Web Portal currently has a lot of bugs and kinks, but as far as i know a (tighter integrated?) replacement is in the works...
at least i hope so!
mikec111
7 Posts
0
November 29th, 2010 06:00
Do you mean Web Access or are you using SSL gateway?
If you are not using SSL gateway then at least force your Web Access site to use HTTPS. As long as you do that, then at least all your communication the the web server is secure. The PIT connection file is encrypted (and time limited) so there is no risk there.
Quest do have a re-write of the Web Access service on their roadmap (cannot be guaranteed though) so perhaps they will take feedback like this for that re-write deveopment. The application is very heavy in what it does, lots of get requests to the image files, so you need to be 'creative' with caching options.
roman_demchenko
24 Posts
0
November 30th, 2010 01:00
Hello René,
Like Mike has mentioned, do you have your Web Access directly exposed to the internet? Or do you have Quest Secure-IT implemented?
rene11
74 Posts
0
November 30th, 2010 06:00
We are using web access with Secure-IT ssl and two way authentication (ofcource ).
The session itself is not the problem. The problem is the web page. As a guest internet user you can see too much things in the html source like a complete password change dialog. And a way to change settings.
This may or may not be secured on the back-end, I don't know, but it is just not wise to give away so much information to possible hackers. You should only present the absolute minumum to login. After that, you can do all the fancy stuff.
PatrickRAtDell
37 Posts
0
November 30th, 2010 14:00
Rene, what is it you fear an end user could access? If you have Secure-IT front ending a Web Access VM, the only thing they have direct access to is port 443 on the Secure-IT box. From there the Secure-IT machine will access the IIS Server on your behalf. Without authenticating, you don't have access to anything.
Both Citrix and Quest have been using this topology for many years and this is accepted by companies all over the world. Some banks implement a double hop DMZ, but that is pretty rare.
I personally would not do anything to change the default install of Web Access or Secure Gateway (as far as security goes), as these installations have security certifications and altering them because you "think" you're making it more secure will just cause you upgrade problems.
rene11
74 Posts
0
February 24th, 2011 09:00
Another warning about the web interface:
If you are using 2-factor authentication and think you are save, don't forget to protect the admin interface!
The admin interface can be accessed by using username/login. So you protected the user login with 2FA, but forget the most important part: the admin interface.
Hackers could bruteforce this and once they get in, disable 2FA.