Insecure redirect?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Insecure redirect?

Martin Holmes
Hi all,

If I type a URL like this in my browser:

https://myexistapp.uvic.ca/exist/apps/dashboard/

with explicit https, but without specifying the index.html file, I get
redirected here:

http://myexistapp.uvic.ca/exist/apps/dashboard/index.html

In other words, the connection is redirected from secure to insecure.
This is a bit risky -- you can easily forget you're on an insecure
connection and send admin passwords in the clear. I can't figure out
where this is happening; the controller for the dashboard XAR has this:

else if ($exist:path = "/") then
     (: forward root path to index.xql :)
     <dispatch xmlns="http://exist.sourceforge.net/NS/exist">
     {
         if (request:get-uri() eq "/exist/apps/dashboard/" and
             request:get-header("X-Forwarded-URI") eq "/apps/dashboard/")
         then
             <redirect url="/apps/dashboard/index.html"/>
         else
             <redirect url="index.html"/>
     }
     </dispatch>

but I don't see how that would be switching https to http. Can anyone
shed light on this?

Cheers,
Martin


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Dannes Wessels-3
Please could you check with curl what is happening? Do you have a reverse proxy in front?

curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/ 



On 18 Apr 2017, at 20:55 , Martin Holmes <[hidden email]> wrote:

https://myexistapp.uvic.ca/exist/apps/dashboard/

with explicit https, but without specifying the index.html file, I get 
redirected here:

http://myexistapp.uvic.ca/exist/apps/dashboard/index.html


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Martin Holmes
We do have Apache in front of Jetty. This is the curl response:

curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
*   Trying xxx.xxx.xxx.xxx...
* Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 698 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: *.uvic.ca (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=CA,ST=British Columbia,L=Victoria,O=University of
Victoria,CN=*.uvic.ca
* start date: Tue, 12 May 2015 16:31:05 GMT
* expire date: Sat, 23 Jun 2018 17:45:04 GMT
* issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
Validation CA - SHA256 - G2
* compression: NULL
* ALPN, server did not agree to a protocol
 > GET /apps/dashboard/ HTTP/1.1
 > Host: myexistapp.uvic.ca
 > User-Agent: curl/7.47.0
 > Accept: */*
 >
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Tue, 18 Apr 2017 20:19:13 GMT
Date: Tue, 18 Apr 2017 20:19:13 GMT
< Server: Jetty(9.3.9.v20160517)
Server: Jetty(9.3.9.v20160517)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
< Content-Length: 0
Content-Length: 0
< Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
< Content-Type: text/plain
Content-Type: text/plain
< Set-Cookie: [...]; path=/
Set-Cookie: [...]; path=/

<
* Connection #0 to host myexistapp.uvic.ca left intact

I can't tell from this whether the issue is caused by Apache or not, but
it happens identically on our main server setup and also on my local
machine when I run eXist behind Apache. Apache is always talking to
eXist on port 8080; I see nothing in the virtual host definition that
looks like it would cause a switch to http.

Cheers,
Martin

On 2017-04-18 12:18 PM, Dannes Wessels wrote:

> Please could you check with curl what is happening? Do you have a
> reverse proxy in front?
>
> curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
>
>
>
>> On 18 Apr 2017, at 20:55 , Martin Holmes <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>> https://myexistapp.uvic.ca/exist/apps/dashboard/
>>
>> with explicit https, but without specifying the index.html file, I get
>> redirected here:
>>
>> http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Olaf Schreck
Hi Martin,

may I suggest you check this:

> * ALPN, server did not agree to a protocol


Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Joe Wicentowski
In reply to this post by Martin Holmes
Hi Martin,

Which version of eXist, and Dashboard at that?  On my local system
(pure eXist 3.1.1 without any reverse proxy, Dashboard 0.4.7), here's
what I see:

- requesting https://localhost:8443/exist/apps/dashboard
- returns a 302 to https://localhost:8443/exist/apps/dashboard/
- which returns another 302 to
https://localhost:8443/exist/apps/dashboard/index.html

Joe

On Tue, Apr 18, 2017 at 4:42 PM, Martin Holmes <[hidden email]> wrote:

> We do have Apache in front of Jetty. This is the curl response:
>
> curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
> *   Trying xxx.xxx.xxx.xxx...
> * Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
> * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
> * found 698 certificates in /etc/ssl/certs
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
> *        server certificate verification SKIPPED
> *        server certificate status verification SKIPPED
> *        common name: *.uvic.ca (matched)
> *        server certificate expiration date OK
> *        server certificate activation date OK
> *        certificate public key: RSA
> *        certificate version: #3
> *        subject: C=CA,ST=British Columbia,L=Victoria,O=University of
> Victoria,CN=*.uvic.ca
> *        start date: Tue, 12 May 2015 16:31:05 GMT
> *        expire date: Sat, 23 Jun 2018 17:45:04 GMT
> *        issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
> Validation CA - SHA256 - G2
> *        compression: NULL
> * ALPN, server did not agree to a protocol
>  > GET /apps/dashboard/ HTTP/1.1
>  > Host: myexistapp.uvic.ca
>  > User-Agent: curl/7.47.0
>  > Accept: */*
>  >
> < HTTP/1.1 302 Found
> HTTP/1.1 302 Found
> < Date: Tue, 18 Apr 2017 20:19:13 GMT
> Date: Tue, 18 Apr 2017 20:19:13 GMT
> < Server: Jetty(9.3.9.v20160517)
> Server: Jetty(9.3.9.v20160517)
> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> < Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
> Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
> < Content-Length: 0
> Content-Length: 0
> < Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
> Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
> < Content-Type: text/plain
> Content-Type: text/plain
> < Set-Cookie: [...]; path=/
> Set-Cookie: [...]; path=/
>
> <
> * Connection #0 to host myexistapp.uvic.ca left intact
>
> I can't tell from this whether the issue is caused by Apache or not, but
> it happens identically on our main server setup and also on my local
> machine when I run eXist behind Apache. Apache is always talking to
> eXist on port 8080; I see nothing in the virtual host definition that
> looks like it would cause a switch to http.
>
> Cheers,
> Martin
>
> On 2017-04-18 12:18 PM, Dannes Wessels wrote:
>> Please could you check with curl what is happening? Do you have a
>> reverse proxy in front?
>>
>> curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
>>
>>
>>
>>> On 18 Apr 2017, at 20:55 , Martin Holmes <[hidden email]
>>> <mailto:[hidden email]>> wrote:
>>>
>>> https://myexistapp.uvic.ca/exist/apps/dashboard/
>>>
>>> with explicit https, but without specifying the index.html file, I get
>>> redirected here:
>>>
>>> http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Exist-open mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/exist-open
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Exist-open mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/exist-open

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Martin Holmes
Thanks all.

This is eXist 3.1.1, dashboard 0.4.7. Looks like it must be something to
do with Apache, but I can't figure out what. This:

   ALPN, server did not agree to a protocol

shows up in the curl output, but there doesn't seem to be anything
analogous when I look at the browser communication with the site,
monitored with Firebug; I just see 302 Found, then the request for
index.html without TLS.

If I figure it out I'll post. If anyone else has eXist proxied behind
Apache, could you try an https request to:

/exist/apps/dashboard/

and see if you see the same thing?

Cheers,
Martin

On 2017-04-18 02:55 PM, Joe Wicentowski wrote:

> Hi Martin,
>
> Which version of eXist, and Dashboard at that?  On my local system
> (pure eXist 3.1.1 without any reverse proxy, Dashboard 0.4.7), here's
> what I see:
>
> - requesting https://localhost:8443/exist/apps/dashboard
> - returns a 302 to https://localhost:8443/exist/apps/dashboard/
> - which returns another 302 to
> https://localhost:8443/exist/apps/dashboard/index.html
>
> Joe
>
> On Tue, Apr 18, 2017 at 4:42 PM, Martin Holmes <[hidden email]> wrote:
>> We do have Apache in front of Jetty. This is the curl response:
>>
>> curl -kiv https://myexistapp.uvic.ca/apps/dashboard/
>> *   Trying xxx.xxx.xxx.xxx...
>> * Connected to xxx.xxx.xxx.xxx (c) port 443 (#0)
>> * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
>> * found 698 certificates in /etc/ssl/certs
>> * ALPN, offering http/1.1
>> * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
>> *        server certificate verification SKIPPED
>> *        server certificate status verification SKIPPED
>> *        common name: *.uvic.ca (matched)
>> *        server certificate expiration date OK
>> *        server certificate activation date OK
>> *        certificate public key: RSA
>> *        certificate version: #3
>> *        subject: C=CA,ST=British Columbia,L=Victoria,O=University of
>> Victoria,CN=*.uvic.ca
>> *        start date: Tue, 12 May 2015 16:31:05 GMT
>> *        expire date: Sat, 23 Jun 2018 17:45:04 GMT
>> *        issuer: C=BE,O=GlobalSign nv-sa,CN=GlobalSign Organization
>> Validation CA - SHA256 - G2
>> *        compression: NULL
>> * ALPN, server did not agree to a protocol
>>  > GET /apps/dashboard/ HTTP/1.1
>>  > Host: myexistapp.uvic.ca
>>  > User-Agent: curl/7.47.0
>>  > Accept: */*
>>  >
>> < HTTP/1.1 302 Found
>> HTTP/1.1 302 Found
>> < Date: Tue, 18 Apr 2017 20:19:13 GMT
>> Date: Tue, 18 Apr 2017 20:19:13 GMT
>> < Server: Jetty(9.3.9.v20160517)
>> Server: Jetty(9.3.9.v20160517)
>> < Expires: Thu, 01 Jan 1970 00:00:00 GMT
>> Expires: Thu, 01 Jan 1970 00:00:00 GMT
>> < Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
>> Location: http://myexistapp.uvic.ca/apps/dashboard/index.html
>> < Content-Length: 0
>> Content-Length: 0
>> < Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
>> Set-Cookie: JSESSIONID=1la5w9rb2zxxxxxxxxxxxxxzu;Path=/
>> < Content-Type: text/plain
>> Content-Type: text/plain
>> < Set-Cookie: [...]; path=/
>> Set-Cookie: [...]; path=/
>>
>> <
>> * Connection #0 to host myexistapp.uvic.ca left intact
>>
>> I can't tell from this whether the issue is caused by Apache or not, but
>> it happens identically on our main server setup and also on my local
>> machine when I run eXist behind Apache. Apache is always talking to
>> eXist on port 8080; I see nothing in the virtual host definition that
>> looks like it would cause a switch to http.
>>
>> Cheers,
>> Martin
>>
>> On 2017-04-18 12:18 PM, Dannes Wessels wrote:
>>> Please could you check with curl what is happening? Do you have a
>>> reverse proxy in front?
>>>
>>> curl -kiv https://myexistapp.uvic.ca/exist/apps/dashboard/
>>>
>>>
>>>
>>>> On 18 Apr 2017, at 20:55 , Martin Holmes <[hidden email]
>>>> <mailto:[hidden email]>> wrote:
>>>>
>>>> https://myexistapp.uvic.ca/exist/apps/dashboard/
>>>>
>>>> with explicit https, but without specifying the index.html file, I get
>>>> redirected here:
>>>>
>>>> http://myexistapp.uvic.ca/exist/apps/dashboard/index.html
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> Exist-open mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/exist-open
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Exist-open mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/exist-open
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Olaf Schreck
>    ALPN, server did not agree to a protocol
> shows up in the curl output, but there doesn't seem to be anything
> analogous when I look at the browser communication with the site,
> monitored with Firebug; I just see 302 Found, then the request for
> index.html without TLS.

Looks like this to me:

- you seem to send HTTP/2 requests (via proxy?)
- your Apache seems to incorrectly handle HTTP/2
- TLS goes broke on that -> error, fallback to plaintext
- you end up with plain HTTP

Check your proxy logs if you have access.


Olaf

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open
Reply | Threaded
Open this post in threaded view
|

Re: Insecure redirect?

Martin Holmes
This only happens when accessing the dashboard/ URL, though. Any other
https: url is handled perfectly, including a direct request for
dashboard/index.html.

It has to be something to do with Apache's handling of the default files
for folders.

On 2017-04-18 03:49 PM, Olaf Schreck wrote:

>>    ALPN, server did not agree to a protocol
>> shows up in the curl output, but there doesn't seem to be anything
>> analogous when I look at the browser communication with the site,
>> monitored with Firebug; I just see 302 Found, then the request for
>> index.html without TLS.
>
> Looks like this to me:
>
> - you seem to send HTTP/2 requests (via proxy?)
> - your Apache seems to incorrectly handle HTTP/2
> - TLS goes broke on that -> error, fallback to plaintext
> - you end up with plain HTTP
>
> Check your proxy logs if you have access.
>
>
> Olaf
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Exist-open mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/exist-open