Do I have to secure requests already secured by permissions? - security

I have a admin website where every url requires some level of permissions. One of these urls is for deleting user's folder via SSH (different machine). Admin with required rights for this url has also access to all informations about every user (except gdpr restricted). Basically, its kind of superadmin. This admin POSTs username which is part of path used in ssh shell cmd(vulnerability). My colleague recently pointed out that permission is not enough and input should be secured (f.e. regexp) as well even for admin. Is that really necessary? Should we count with scenario where admin (with rights to delete all user's folders) wants to hack virtual machine?

Related

Is it possible to forward ldap authorization from a web portal cgi form to a directory in apache

I'm working on a web portal where a user is authenticated by LDAP through a perl CGI form. The authentication process uses the Net::LDAPS module. When logged in, the system keeps the user's authenticated status and creates a CGI cookie and the user can perform various actions through the portal, mostly interactions with a database, until the user logs out.
On the same server there's a directory with some files. I want a user to be able to log in to the web portal and then browse the file directory and be able to download those files.
The simplest way I can think of is placing an htaccess file with "Options +Indexes" and ldap authentication into the directory, but that would require another login that's not linked with the web portal.
Is there a way to link the web portal cgi-based ldap authentication to htaccess file?
You mention that the user can log out and then no longer use the portal. But there is no portable way for logging out a user with basic authentication. They will be able to continue browsing the directories.
Instead of your CGI script that authenticates the user, you can simply configure LDAP authentication for both the data directories and the portal. Ugly, but it would work.
The better and cleaner option for you will be to provide access to the data directories not directly but through the portal only. If you use Apache's path info feature (https://httpd.apache.org/docs/2.4/de/mod/core.html#acceptpathinfo) you don't even have to bother about checking the path for malicious "../../.." constructs and the URIs will look very natural to your users.

Get authenticated user's groups from Active Directory in Node

We were asked to move our NodeJS app to run under IIS (Windows Server 2012R2) and integrate with an existing Active Directory. We were requested to remove the login page, and instead use Windows Authentication to get the (already authenticated) user's ID, and the use the groups he/she belongs to, to control their authorization level within the app.
I've installed iisnode to run my app under IIS, and figured I'll use either passport-windowsauth, or node-activedirectory to get the group memebership. However, both require user/password to authenticate the user. My user is already authenticated, and I have no access to his password (nor should I).
How do I go about getting an authenticated user's groups from Active Directory?
Here's what I have so far:
Installed and configured iisnode
Enabled Windows Authentication for the web app
Added this to web.config: <iisnode promoteServerVars="AUTH_USER,AUTH_TYPE" />
In my index.js file, I can then console.log(req.headers['x-iisnode-auth_user']); and get the correct user name - but I don't know how to proceed from here to getting his/her groups
Under no circumstances do I want to re-ask the user for his/her password
Well, seems like no one is interested in looking at this question :). I'm assuming IIS + Node.js + Active Directory is an edge case.
Here's how I ended up solving this one:
Add a special user to the Active Directory that can only be logged into from the IIS machine (bonus: limit the IP/process/access of that user).
Add the AD details, user name, and password to config.json file (see snippet).
Make sure you add the file to .gitignore so it won't end up in repo.
Use node-ActiveDirectory to first sign in as the user from step 1, and then ask for the groups of the logged in user (see snippet).

Propagate user access right from an authentication web page to other html only web pages on the server?

I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.

deny root users on remote machines to change ldap users details

I want to prevent root users on remote machines to change the ldap users accounts details and keep it only permitted to the local server root.
Thanks
You didn't state which LDAP server, but if, as seems probable, you're using OpenLDAP, you can't stop root users from doing anything. You shouldn't have root users. The root user is for use by the server itself. Nobody else should use it. Nobody else should even know about it. You should have admin users, defined in the directory itself, and then you can specify their acces rights very extensively in the slapd configuration.

How do I setup IIS 6 with anonymous access for local asp.net webforms development?

When I setup IIS6 to develop projects locally I have to enable "Integrated Windows Authentication" under directory security in order for my CSS & Images to show up. (Note: I have double checked that network service has rights to all directories in my web application)
However this often causes my browser to prompt me for windows login username and password when I am running the application.
Is there anyway to get around entering a windows login password all the time ?
(I am using windows xp pro 64bit)
Maybe it is some problem with the kerberos authentication to your web site. Just disable it on your site. from the c:\Inetpub\AdminScripts directory run this command.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Or change the authentication to anonymous. And make sure that the user in the directory security tab (IUSR_computername) has access to said directories. It is not the application pool user who access files and other resources.
Well it certainly is not as it's supposed to be!
You say you've double checked that Network Service has access to the directories. But with anonymous access, the account that needs access is the IUSR_[machinename] account. The account is specified under the Directory Security tab.
If all else fails, for local development you might as well grant everyone access to the directories.

Resources