OWASP Top Ten Project 2013 No 5 – Security Misconfiguration

Application Updates

Regular product updates, hotfixes and patches are released for Intershop products fixing also potential security issues.
The support department informs about important security updates via newsletter “security bulletin”. Updates and patches are announced at the support web page (https://support.intershop.com/)

Verify Default Settings

Intershop is being delivered with a standard configuration setup, which includes standard passwords for system accounts, as well as demo stores. Some settings of this standard configuration need to be changed/adapted or at least need to be verified.

Intershop 7

Database

  1. Change the database passwords.
    The Knowledge Base article Using DBCA templates for creating a database from the scratch describes how create a database instance suitable for your Intershop 7. As soon as your system is about to go live, contact your Oracle Database Administrator to change these passwords. Afterwards, you have to update the passwords in your orm.properties, which is located in $IS_share/system/config/cluster
    intershop.jdbc.password=<NewIntershopPassword>
  2. Back up the database.
    Make a backup of your database content before going live to preserve the original state of your database. Refer to your Oracle manuals, to the Knowledge Base article Backup Strategy for Oracle Databases or contact your Database Administrator for more information.
  3. Set Oracle to archive mode.
    Setting the Oracle server to archive mode is essential to enable the recovery of the database in the case of a system server crash, for example a disk crash. Read: Setting the Oracle Server to Archive Mode.
  4. Consider Oracle Tuning Measures.
    Tuning is strongly recommended, depending on your own database setup. Thus we just provide the requirements for the Intershop application, and leave this topic in the responsibility of your database administrator.

Web Server / Web Adapter

  1. Enable page cache.
    Enabling page caching is recommended to decrease the response time of the Intershop Application. It decreases the load on your application servers by caching single pages inside the Web Adapter. Refer to Overview – Administration and Configuration and its subsequent documents to learn more about the page caching mechanism. Page caching is usually turned off during development to have all changes to ISML templates displayed immediately, so don’t forget to turn it on in the back-office:

    1. Log in to your Enterprise’s back-office.
    2. Select the channel whose pages shall be cached.
    3. Navigate to Preferences -> Page Caching, check the box and click ‘Apply’.
  2. Define Website indexing rules for Web robots.
    Avoid having your whole Intershop 7 site indexed by Web Robots instead of only your rewritten URLs. Therefor, the robots.txt has to be configured so that no robot can access URLs containing the string “/INTERSHOP/”. This leads to a site where just your rewritten URLs are indexed.
  3. Online Search Engine Support
    To improve the visibility of your system, have search engine Web robots, like that of Google, index your site in a controlled manner. That means you allow selected indexing robots access to your system. To provide them with links which do not include session IDs (SID) or personalization group IDs (PGID) set the following property in $IS_SHARE/system/config/cluster/webadapter.properties: session.skipForUserAgent.0=XampleBot
    where XampleBot is the name of the robot. Thus, any user agent containing the string XampleBot will get links without IDs, allowing the robot to recheck the URL later.
  4. Configure your firewall.
    It is recommended to run your Intershop 7 machines behind a firewall. The only open ports should be ports 80 and 443 of your Web Server (these are the defaults).
  5. Web Adapter Statistics Monitor
    The Web Adapter Statistics monitor delivers information about your system (e.g. load, cache hit ratio, response times). The Web Server mapping of the Web Adapter Statistics monitor can be activated in $IS_HOME/httpd/conf/extra/httpd-webadapter.conf by adding the following line:

    <LocationMatch /wastatistics>
       Order  Allow,Deny
       Allow  from YourIPRange (Example: Allow from 10.10.10.0/24)
    </LocationMatch>

    After restarting the Web Server one can access the monitor page by using the URL http://<host>/INTERSHOP/wastatistics To restrict access to the monitor, follow these steps:

    1. Choose a user who should have access.
    2. Open a command line and switch to $IS_HOME/httpd/bin.
    3. Execute htpasswd -c passwordFileNameWithPath username.
    4. Choose and confirm a password.
    5. Modify the $IS_HOME/httpd/conf/extra/httpd-webadapter.conf by inserting:
      <LocationMatch /wastatistics>
        AuthType Basic
        AuthUserFile passwordFileWithPath (e.g. /path/filename)
        AuthName "username"
           require valid-user
      </LocationMatch>
    6. Modify the $IS_HOME/httpd/conf/httpd.conf by activating these modules:
      • LoadModule auth_basic_module modules/mod_auth_basic.so
      • LoadModule authn_file_module modules/mod_authn_file.so
      • LoadModule authz_host_module modules/mod_authz_host.so
      • LoadModule authz_user_module modules/mod_authz_user.so
    7. Restart the Web Server to activate the changes.
    8. Now a user with password is necessary to access the Web Adapter Statistics monitor.

Application Server

  1. Java Virtual Machine
    Adjust the memory size of the Java Virtual Machines by setting the following properties in $IS_HOME\bin\tomcat.bat:

    JAVA_OPTS=%JAVA_OPTS%
    -Xms2048m 
    -Xmx2048m 
    -XX:MaxPermSize=400m 
    -XX:NewRatio=8
    
  2. Log LevelLog levels can be defined separately for each Intershop 7 application server in the cluster or cluster wide. For development purposes, the log level is usually set to DEBUG which is not recommended for live systems, because of its negative impact on performance and the huge amount of logged data that blows up log files. Live systems should be configured to the levels ERROR, WARN, JOB and additionally to STAGING if the application server is part of a staging cluster.
    To set the log level:

    1. Log in to the SMC.
    2. Go to the Logging section.
    3. Choose a cluster-wide setting, or select a single application server and specify the log scopes (log levels).

    After changing the log level, check the content of the log files and perform a couple of requests on your site. The log level is successfully set when no debug messages can be found.

  3. Clear/Backup Log Files
    You should clear or back up the log files prior to going live so that you can track potential problems more easily. To clear the log files:

    1. Stop (Intershop 7) Application and the Web Server.
    2. Move all files from $IS_SHARE\system\log to a backup directory (keep these old log files for reference).
    3. Start (Intershop 7) Application and the Web Server.
  4. Jobs
    Check the jobs within the SMC for each site. Disable jobs which are not needed. Schedule jobs (if possible) for low traffic time, e.g. at night, and make sure the jobs are scheduled to run with some time offset to reduce the risk of heavy system load due to concurrent jobs.
  5. ISML Source Checking
    Usually, your production system will not change often. To improve its performance disable ISML source checking during template processing by setting the following property in$IS_SHARE\system\config\cluster\appserver.properties:
    intershop.template.CheckSource=false
  6. ISML Precompilation
    Use ISML template precompilation to improve the performance during high traffic times. All ISML templates are precompiled during application server start so that the system does not need to compile them on user request.
    For Intershop 7 versions < 7.2.1
    To enable precompilation set the following property in $IS_SHARE\system\config\cluster\appserver.properties:
    intershop.template.CompileOnStartup=true

    For Intershop 7 versions starting from 7.2.1
    The ISML templates can be precompiled by executing the Ant task
    ant precompile
  7. Password configuration for encryption
    Ensure that the value intershop.encryption.0.id has got a configured password which meets the requirements for a secure and safe password. For this you can check the usercredentialrules.properties, there you can find the mentioned requirements.
  8. Set Correct Time
    Before going live, set the correct time and timezone for the Intershop 7 application server machines, the database machine and also the Web Server machine. They all should be in sync.
  9. License Key
    Intershop 7 distinguishes between development license keys and production license keys (standard and TBR (transaction-based renting)), so please check if your license keys are made for live systems. If not, contact your Intershop account manager to request appropriate license keys.
  10. Disable Development Mode of Tomcat
    By default the inner Tomcat development mode is set to ‘true’, which can be a performance issue. In live system installations the development mode can be set to ‘false’. The suggested solution to increase the performance of production systems is edit the file web.xml in %IS_SHARE\system\config\servletEngine\conf\ as follows:

    ...
    <init-param>
      <param-name>development</param-name>
      <param-value>false</param-value>
    </init-param>
    <init-param>
      <param-name>reloading</param-name>
      <param-value>false</param-value>
    </init-param>
    ... 
    

    By setting the two values to FALSE, all properties that concern ISML template handling (these properties start with intershop.template) in appserver.properties become invalid. If, for example, you configure your system to check for newer versions of ISML templates at request (by using intershop.template.CheckSource=true) Intershop 7 will simply ignore this property. In other words, you can either disable the Tomcat development mode or be able to configure ISML source checking and ISML precompilation.

  11. Disable AXIS HotDeployment
    To avoid a lot of additional file system operations you can define the below settings:

    /intershop/system/config/cluster/axis2client.xml
    <parameter name="hotdeployment">false</parameter>
    
    /intershop/system/config/cluster/axis2server.xml
    <parameter name="hotdeployment">false</parameter>
    
  12. Check Correctness of all Multicast Channels
    To ensure the operational reliability of your Intershop 7 installation you have to check the Multicast settings in the following configuration files:

    • Multicast Channels from appservers, nodemanager & database
    • $IS_SHARE\system\config\cluster\appserver.properties
    • $IS_SHARE\system\config\cluster\orm.properties
    • $IS_SHARE\system\config\cluster\cache.properties
    • $IS_SHARE\system\tcm\config\tcm.properties
  13. Disable Unused Sites
    Disable sites that are not used. This applies to the Intershop 7 demo sites (e.g. Inspired, PrimeTech). The demo store could even be misused to harm your systems performance by starting imports, syndication or heavy jobs. Sites can be disabled via the SLDSystem (in Operations Site) or SMC.
  14. Development & Production Properties
    Intershop 7 provides the possibility to create development or production properties, with the advantage to simply switch between configurations. The environment.properties ($IS_SHARE\system\config\cluster) define which property file is taken.
    Please check if you have the correct configuration in the environment.properties.
  15. Change the SMC and the TCC Passwords
    The two admin consoles can be found under the following URLs:

    • SMC: https://<host>/INTERSHOP/web/BOS/SMC
    • TCC: https://<appserver-host>:10053/tcc
    1. Log into SMC/TCC as admin.
    2. Go to Change Password.
    3. Type a new password and confirm change.
  16. Configure a Mail Server
    1. Open the file $IS_SHARE/system/config/cluster/appserver.properties.
    2. Modify the line intershop.SMTPServer=defaultMailServer.domain.com to add your own mail server address.
  17. Processor Affinity
    Configure your Application Servers to use all available processors. Intershop 7 supports processor affinity to provide better performance in case you do not bind all Application Server processes to the same CPU. Every server process (the JAVA virtual machine) can be bound to a certain CPU or can be run unbound, which means that the Intershop 7 application servers will use all cores from the machine. Please note that cpu usage of all application servers has to be covered by the license file. If the license covers all possible cores, it is recommended to run the application servers unbound. To bind the application server processes:

    1. Switch to $IS_SHARE\system\config\servers
    2. Enter the folder named with the IP address of the desired application server instance.
    3. Open the file appserver#.properties contained in this folder.
    4. Modify the line intershop.cpu.id = 0 to bind the server instance to one CPU (four CPUs have the numbers 0 to n).
  18. Customer Information Center (CIC)
    Configure your system to transfer log files to the CIC where the data is processed and made accessible in a graphical way. According to your Support contract you can use the CIC.

Co-Authors: Thomas Bergmann, Nils Breitmann and Intershop Consulting Stuttgart

OWASP Top Ten Project 2013 No 5 – Security Misconfiguration

One thought on “OWASP Top Ten Project 2013 No 5 – Security Misconfiguration

  • 2017-02-13 at 6:53 pm
    Permalink

    I also recommend to encrypt the communication to the SMTP server (TLS, Port 587).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *