Lasso admin security

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Lasso admin security

Alexander Dewilde

I used to restrict access to the lasso admin pages for localhost only in lasso v3 -> v7, in order to exclude the possibility for attacks on the lasso admin section. This was done by putting the admin pages out of a public server root.

Ever since using Lasso Pro 8, I found out that the admin pages (lassoapps), reside in the applications directory, and no matter how you move them, or rename them, the pages are always found. (siteadmin.lassoapp and serveradmin.lassoapp)

The only way to disable remote admin is by removing the lassoapp handler from the httpd.conf file, but it's not quite a pretty solution?!

Any suggestions on how to block public access to the lasso admin pages?
(Call me paranoid, but I've seen the weirdest attacks...)

Lasso Pro 8.0.5 - OSX Server 10.3.9 - Apache 2.0.52

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Lasso admin security

Fletcher Sandbeck
On 6/9/05 at 10:47 AM by [hidden email] (Alexander Dewilde):

>I used to restrict access to the lasso admin pages for localhost only
>in lasso v3 -> v7, in order to exclude the possibility for attacks on
>the lasso admin section. This was done by putting the admin pages out
>of a public server root.
>
>Ever since using Lasso Pro 8, I found out that the admin pages
>(lassoapps), reside in the applications directory, and no matter how
>you move them, or rename them, the pages are always found.
>(siteadmin.lassoapp and serveradmin.lassoapp)
>
>The only way to disable remote admin is by removing the lassoapp
>handler from the httpd.conf file, but it's not quite a pretty
>solution?!
>
>Any suggestions on how to block public access to the lasso admin pages?
>(Call me paranoid, but I've seen the weirdest attacks...)
>
>Lasso Pro 8.0.5 - OSX Server 10.3.9 - Apache 2.0.52

The admin LassoApps are served out of the "LassoApps" folder in the application root.  You can move them from there into your private Web server root and they will be served just like they were in a prior version of Lasso.  You will need to move them again after each update to Lasso.

We also provide the source code for the LassoApps with the Language Guide in the Documentation folder.  This allows you to serve the admin apps without accessing them as LassoApps at all.  But again, you'd have to manually update your copy of the apps after each update to Lasso (and remove the LassoApps from within the Web server root).

[fletcher]
--
Fletcher Sandbeck                         [hidden email]
Lasso Product Specialist              [hidden email]
OmniPilot Software, Inc.                http://www.omnipilot.com

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Lasso admin security

Wade Maxfield
In reply to this post by Alexander Dewilde
>I used to restrict access to the lasso admin pages for localhost
>only in lasso v3 -> v7, in order to exclude the possibility for
>attacks on the lasso admin section. This was done by putting the
>admin pages out of a public server root.
>
>Ever since using Lasso Pro 8, I found out that the admin pages
>(lassoapps), reside in the applications directory, and no matter how
>you move them, or rename them, the pages are always found.
>(siteadmin.lassoapp and serveradmin.lassoapp)
>
>The only way to disable remote admin is by removing the lassoapp
>handler from the httpd.conf file, but it's not quite a pretty
>solution?!
>
>Any suggestions on how to block public access to the lasso admin pages?
>(Call me paranoid, but I've seen the weirdest attacks...)
>
>Lasso Pro 8.0.5 - OSX Server 10.3.9 - Apache 2.0.52


Just thinking out loud (haven't tried this myself) but...

If you aren't using any other lassoapps, why not move the lassoapp
handler out of the main httpd.conf and put it into a virtual host
directive for an internally accessible site?

  - Wade

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage