I hit a nice security exploit on our web server


While explaining how sockets work to one of my developers, I realized something – it would be really easy to gain access to our intranet from outside the building with just a simple change to the system’s /etc/hosts file. Our intranet is set up pretty far from ideally, and still runs on the same server that our external website is running off (which in itself is a huge no no that needs to be addressed, soon). Due to this, all external requests hit the same server as the internal requests, and adjusting the /etc/hosts file can let you forge a hostname for anything and send the request to our server.

This potential breach could be combined with other types of exploits to gain access to our client control systems from outside the building. The simple solution was a modification to the vhost file for the intranet site. I simply added this directive to the <VirtualHost> node:

<Directory "/var/www/admin">
    Order deny,allow
    Deny from all
    Allow from 192.168.0
</Directory>

This prevent any requests from being handled unless the IP address is 192.168.0.*, which limits allowable requests to just those on the LAN in the building.

Of course, this is only a bandaid that addresses one symptom of the problem rather than the real issue – our intranet should be located on a different server. I would like to do some work to move the intranet and mysql database to a single server that is completely inaccessible from outside the building, and use our current web / db server to just host the externally accessible website. I already have the green light to get another server, so it is just a matter of taking a Saturday to implement these changes.

  1. No comments yet.
(will not be published)