Forum OpenACS Q&A: Response to htDig

Collapse
2: Response to htDig (response to 1)
Posted by Jerry Asher on
If you are using OpenACS 3.2.5, then take a look within tcl/ad-security.tcl at ad_verify_and_get_user_id.

To help secure your hack, you might consider loading up another nssock instance within AOLserver that only accepts requests on a certain port of localhost, and not your public IP address.  Then point htDig at that address and that port.  Since the address is the localhost, the public and the h4x0r should not be able to gain access to your system.  htDig's rewrite rules should fix the urls back to publically addressable urls.

Your strategy should work, but may have small problems: since htDig won't maintain cookie state everytime anything wants the user id it will have to go through a code patch that encounters your "fix".

Another strategy would be to create a tcl based proxy.  Modify httpget to login and obtain/maintain the cookie login information by adding the appropriate cookie headers to each request.  Point htdig towards your proxy, and have your proxy httpget the actual pages and return them to htdig.  Again use htDig's rewrite rules to fix up the returned urls.  Once again you can secure this by having your proxy check to ensure the connection is being made on the localhost.