WebApp Sec mailing list archives
Re: Deface a web site
From: Rafael San Miguel Carrasco <smcsoc () yahoo es>
Date: Thu, 09 Dec 2004 21:17:49 +0100
Leung, Annie LDB:EX wrote:
I don't understand this. Apache has its own authentication scheme for web users. I hope you mean thatHi list members, The scenario is that a web site is running in a Windows 2000 machine with Oracle web/application server environment (Apache-based), J2EE, HTML. The web application is deployed by logged in using the administrator account
Apache is running with admin privileges.
If Apache is running with admin privileges, the following techniques will have greater impact:(cloned from the original). That implies the web application runs with admin privileges, right? Database and authentication details are in other servers. Q1: What are the risks for a web application running with admin privileges?
- stealth commanding - directory transversal - file disclosureas the attacker will be able to access files and execute commands allowed only to root.
If the application authenticates itslef as an admin to the database server, SQL injection will be much more dangerous than if a normal user account with restricted privileges is used.
How the pages are coded influences the presence or absence of vulnerabilities. If Apache is running as admin, those vulnerabilities will introduce even more risk to the overall architecture.Q2: In this scenario, is it easier or no difference when trying to deface a web site? Is it really depending on how the pages are coded?
Hope this helps. ------------------------------- Rafael San Miguel Carrasco Consultor Técnico rafael.sanmiguel () dvc es + 34 660 856 647 + 34 902 464 546 Davinci Consulting - www.dvc.es Oficina Madrid - Parque empresarial Alvento Via de los Poblados 1 Edificio A 6ª planta 28033 Madrid -------------------------------
Current thread:
- Deface a web site Leung, Annie LDB:EX (Dec 08)
- Re: Deface a web site Rafael San Miguel Carrasco (Dec 14)