Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I prevent access to JBoss configuration files?

Posted on 2010-11-12
6
741 Views
Last Modified: 2012-06-21
The company I work for has an application that allows users to view files (PDF's etc).  There is a bug in it that our security audit discovered that allows someone to enter something like ../../datasource-ds.xml   and view the contents of the config files.

This is being fixed by our developers, but I'd like to make sure that the vulnerability doesn't exist in some other way.  How can I lock down the conf and deploy directories so that no one else can do this?  I'm still relatively new to JBoss and could use some help locking things down.

Would putting an .htaccess file in the conf and deploy directories be enough to keep people out of them without impacting application functionality?  

Any suggestions would be appreciated.
0
Comment
Question by:alphawiz1
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:btan
ID: 34126385
I see it as protecting SOA type. See this article that sums up in general security approach
@ http://soa.sys-con.com/node/232071

For example, this is one real vulnerability due to no authentication, no password or default password in console and mgmt. Actually applicable for other domain in network and web services
@ http://www.articlesbase.com/security-articles/exploitation-and-remediation-of-jboss-application-server-default-configuration-vulnerability-1889469.html

For .htaccess file, I understand that only the lowest .htaccess file along the path affects access; clients can skip over protected directories if they know the URL to lesser protected directories below there. But it is better than direct access w/o authentication. Need to plan for segregation based on the risk appetite of the files or document. In general top level directories are left public and have no ".htaccess" file, while some lower directories might be restricted. Two level of protection might be employed, for example there might be a set of documents that is protected for specific group of hosts only, with one subdirectory inside that also requiring a password to be supplied, to further limit access.

Not full proof though but layer of defense should be in place to secure the appl server as in the article shared above.

Application wise, if possible, should relook at establishing deployment roles to define the logical security view of an application. Only authenticated groups should have access and have audit enabled to track. See 8.1.3 (ref link
Ref: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html) for a start.
0
 
LVL 63

Expert Comment

by:btan
ID: 34126391
This link would be of interest, related to the roles and authentication/authorisation mentioned
@ http://www.packtpub.com/article/user-security-access-control-in-jboss-portals
0
 

Author Comment

by:alphawiz1
ID: 34136239
The authentication, and default passwords have already been changed.  This was primarily a concern about protecting the JBoss config files from being accessible.  

The primary cause of their accessibility was a lack of security logic in the servlet, but it started me thinking about someone being able to gain access to the config files in other ways.  I wanted to lock things down as best I could.  

It wasn't exactly the answer I was looking for, but thank you for the articles.  They were helpful in verifying what I'd already done. :)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 34152690
I may be into Jboss but fundamentally to mitigate exposure, logging (esp for investigative purposes) and disabling of remote access and unnecessary ports is essential. At the same time is the role based authorization scheme for the access to server files. Below links may be of interest.

http://java.dzone.com/articles/configuring-logging-jboss
http://www.eu-sol.net/science/bioinformatics/tutorials/secure-biomoby-web-services/authentication-in-jboss
http://www.huihoo.org/jboss/online_manual/3.0/ch11s03.html

At times, there are worries of defacement and tampering of the files, hence tripwire solution may be considered for tracking who is the culprit etc @ http://www.tripwire.com/
 
0
 

Author Comment

by:alphawiz1
ID: 34197045
Wasn't really the solution I was looking for, but you get the points for the effort. :)
0
 

Author Closing Comment

by:alphawiz1
ID: 34197053
Wasn't exactly the solution I was looking for.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exploits in Kali Linux 4 377
Botnet C&C DNS response Malicious Traffic 28 285
Security, hackers 10 128
4 Android flaws that leave 900M devices at Risk 7 78
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question