Displaying HTTP content in HTTPS site using a "proxy" - security

I have an https web application in which we display external content in iframes (totally customizable by the user)
Since mixed content is blocked by many browsers I do the following for HTTP content:
An iframe links to my own JSP and sends the requested url as a parameter. The JSP then creates an input stream with the url and returns the response.
BufferedReader reader = null;
URL url;
String strUrl = (String) request.getParameter("url");
try {
url = new URL(strUrl);
reader = new BufferedReader(new InputStreamReader(url.openStream(), "UTF-8"));
for (String line; (line = reader.readLine()) != null;) {
out.println(line);
}
} catch (Exception e) {
log.warn("Error on URL " + strUrl);
} finally {
if (reader != null)
try {
reader.close();
} catch (IOException ignore) {
}
}
This works very well.
The question is: Can someone explain what are the security concerns here, is this something I would want to do? (I can technically say that only HTTPS urls are supported...).
Thanks!

Yes, this is certainly a security concern. What you've created is called an 'open redirect' and it's used in phishing attacks.
An attackers can abuse the trust your users have in your website (communication signed and encrypted with your SSL certificate) to redirect them to a malicious site.
Even though, they may not be able to control the usage of this JSP on your website, they can use it in an email or website comment. See this question for more information.
You can solve this problem by maintaining the list of sites you want to convert from HTTP to HTTPS at the server side and refer to them by index or keyword, like:
https://myserver/proxy.jsp?url=site1

Related

Acumatica - PXRedirectToFileException not redirecting in 2019R2

We're currently going through upgrading and ran into an issue where we can no longer redirect a user to one of our files. We've tried all of the different redirect methods, but for example purposes this is the easiest to show. If you use the below action and feed it a file it does nothing. However, if you change the "false" to "true" (for forcedownload) it will indeed download the file. This reinforces what we have seen with the other redirect methods. The system will not let you redirect to a URL that has .ashx in the url.
Is this an intentional change or is this a bug? We tried both 19.205.0023 and 19.207.0026
Thanks for your help =)
public PXAction<UsrDesign> viewFile;
[PXUIField(DisplayName = "View File")]
[PXButton()]
protected virtual void ViewFile ()
{
string fileName = Design.Current.ProofFile; // whatever file you want, in our case it comes from custom screen
UploadFile uploadFile = PXSelect<UploadFile, Where<UploadFile.name, Equal<Required<UploadFile.name>>>>.Select(this, fileName);
UploadFileMaintenance fileGraph = PXGraph.CreateInstance<UploadFileMaintenance>();
var file = fileGraph.GetFile((Guid)uploadFile.FileID);
throw new PXRedirectToFileException(file, false);
}

How to download documents from liferay from outside application ..using liferay jsonws or any other way

Hi i am using liferay/api/secure/jsonws services to upload documents, getting documents, from a outside application , in the same way i want to download the documents also, i checked my liferay jsonws , there is no method or service which i can use for download , or i don't know about it , please suggest me a way to download documents from outside application , by using jsonws or any other way is also fine.
Edit after i got to know how to download document.
Hi I tried to download liferay document from outside application by using getURl, but every time for all document i am getting liferay login page content
i have already tried get-file-as-stream json-rpc call but that also giving me null response
the code which i have used is:
final HttpHost targetHost = new HttpHost(hostname.trim());
System.out.println(targetHost.getHostName());
UsernamePasswordCredentials creds = new UsernamePasswordCredentials(username, password);
System.out.println(creds);
final AuthScope authscope = new AuthScope(targetHost);
httpclient.getCredentialsProvider().setCredentials(authscope, creds);
final AuthCache authCache = new BasicAuthCache();
final BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);
final BasicHttpContext localContext = new BasicHttpContext();
localContext.setAttribute(ClientContext.AUTH_CACHE, authCache);
final HttpGet httpget = new HttpGet(hostname+"/documents/" + groupId + "/" + folderId + "/" + filename);
final HttpResponse response = httpclient.execute( httpget, localContext);
if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
final org.apache.http.HttpEntity entity = response.getEntity();
if (entity != null) {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
entity.writeTo(baos);
return baos.toByteArray();
}
}
return null;
} finally {
httpclient.getConnectionManager().shutdown();
}
}
i am adding basic auth header will correct username and password, don't know how this login page is coming, is there any permission which i need to change or any configurations issue, please help in this.
You could use the Liferay WebDav Services to download files from your document-library. The paths to download can be inspected inside of the control-panel when clicking on a file entry (WebDAV URL toogle link). The paths usually look like: /webdav/{site-name}/document_library/{folder-name}/{file-name}
Otherwise, you could mimic the request URLs Liferay creates inside the documents-media portlet to download the file entry.
But you should take care about authentication, when your files (and folders) are not visible to guests.

Custom maintenance mode module does not work on Azure Web Role

I've created and registered custom http module to show maintenance message to user after administrator turns on maintenance mode via configuration change.
When I pass request for html it should return custom html loaded from file, but it returns message: "The service is unavailable." I can't find that string in my entire solution. Custom log message from custom maintenance module is written to log4net logs.
... INFO DdiPlusWeb.Common.MaintenanceResponder - Maintenance mode is on. Request rejected. RequestUrl=...
Seems something is miss configured in IIS on Azure. Something intercepts my 503 response. How to fix it?
Module code
void context_BeginRequest(object sender, EventArgs e)
{
HttpApplication application = (HttpApplication)sender;
HttpContext context = application.Context;
if (AppConfig.Azure.IsMaintenance)
{
MaintenanceResponder responder = new MaintenanceResponder(context, MaintenaceHtmlFileName);
responder.Respond();
}
}
Interesting part of responder code.
private void SetMaintenanceResponse(string message = null)
{
_context.Response.Clear();
_context.Response.StatusCode = 503;
_context.Response.StatusDescription = "Maintenance";
if (string.IsNullOrEmpty(message))
{
_context.Response.Write("503, Site is under maintenance. Please try again a bit later.");
}
else
{
_context.Response.Write(message);
}
_context.Response.Flush();
_context.Response.End();
}
EDIT: I lied. Sorry. Maintenance module returns the same message for requests that expect json or html.
This answer led me to the solution.
I've added another line to SetMaintenanceResponse method.
_context.Response.TrySkipIisCustomErrors = true;
It works now. Here is more about what it exactly means.

Connect to FTP server and download file from FTP to local machine

I need to know a way to connect to a FTP site and i am unable to find an example to do the program using C#.
I need to write the code where i could connect, and download files from the FTP server without using third party component.
How can i do this ? Help.
There is FtpWebRequest class in .Net 4
http://msdn.microsoft.com/en-us/library/system.net.ftpwebrequest.aspx
There are examples at the end. Here is a sample taken from msdn:
public static bool DisplayFileFromServer(Uri serverUri)
{
// The serverUri parameter should start with the ftp:// scheme.
if (serverUri.Scheme != Uri.UriSchemeFtp)
{
return false;
}
// Get the object used to communicate with the server.
WebClient request = new WebClient();
// This example assumes the FTP site uses anonymous logon.
request.Credentials = new NetworkCredential ("anonymous","janeDoe#contoso.com");
try
{
byte [] newFileData = request.DownloadData (serverUri.ToString());
string fileString = System.Text.Encoding.UTF8.GetString(newFileData);
Console.WriteLine(fileString);
}
catch (WebException e)
{
Console.WriteLine(e.ToString());
}
return true;
}
This isn't specifically a question as such.
You need to use the socket classes within the .NET framework:
MSDN - System.Net.Sockets
A good example I've previously used is:
www.dreamincode.net - Create an ftp class library

Application Error Occurs in Nokia 6300

I am using this code to connect Servlet. Mobile application when try to access internet.
The following message appears in mobile.
"Allow network access?? yes or no ". If I click "no" for that message in Nokia 6300 "Application Error" Warning will appear and it will close the application automatically.
I tried other nokia mobiles like N70 and N72. Mobile will not show "Application Error".
Is it Mobile problem or coding problem?
Is there any efficient way to connect Servlet using http?
public static InputStream getDataInputStream(String url, String request)
{
HttpConnection httpConnectionObj = null;
OutputStream dataOutputStreamObj = null;
try {
httpConnectionObj = (HttpConnection) Connector.open(url, Connector.READ_WRITE);
httpConnectionObj.setRequestMethod(HttpConnection.POST);
dataOutputStreamObj = httpConnectionObj.openOutputStream();
dataOutputStreamObj.write(request.getBytes());
dataOutputStreamObj.close();
return httpConnectionObj.openInputStream();
} catch (javax.microedition.io.ConnectionNotFoundException cnfe) {
//Alert
} catch (Exception ex) {
//Alert
} finally {
try {
if (httpConnectionObj != null) {
httpConnectionObj.close();
httpConnectionObj = null;
}
} catch (IOException ex) {
ex.printStackTrace();
}
}
return null;
}
There is no good way to extract java.lang.Throwable.printStackTrace() on a Nokia 6300 since it is a Series40 phone.
The issue with the permission dialog has nothing to do with your code. You have to be aware of the MIDP security model in order to fix this.
A given phone has several security domain encoded in its firmware by the phone manufacturer.
In each domain, there can be several options to restrict access to a sensitive API.
When you install a MIDlet, the phone decides which domain it belongs to based on who trusts the certificate you signed it with. (could be unsigned, trusted third party, operator, manufacturer... )
When you run the MIDlet, every time it attempts to use a restricted API, the corresponding option is applied. (Could be always deny, ask the user every time, ask the user only once, always allow).
Different restricted APIs can have different options in the same domain.
There are therefore several possible explanations to your problem:
You signed the MIDlet differently for 6300 and N70.
The security domains are different on 6300 and n70.
The option to restrict HTTP connection is different on 6300 and N70.
The Mobile Network Operator is different on 6300 and N70.
I am not sure if it would help, but try closing output stream before HttpConnection in finally block:
} finally {
try {
if (dataOutputStreamObj != null)
dataOutputStreamObj.close();
dataOutputStreamObj = null;
if (httpConnectionObj != null)
httpConnectionObj.close();
httpConnectionObj = null;
} catch (IOException ex) {
ex.printStackTrace();
}
}

Resources