So, I was involving in one of projects where client site and admin panel/dashboard was hosted on different sites. Not like a lot of CRM`s do or 90% of common sites (just in /admin or other URL location on root client site), but literally on different domains.
To get access inside of dashboard login page, user should do request to client site (opened for all people), on specific URL, where after process with some questions/verification his IP gets added to database. On dashboard site running some script, that fetch array of approved IP and rebuild root .htaccess according to template every x minutes. Final .htaccess file looks in next format:
Order Deny,Allow
Deny from all
Allow from localhost
Allow from 127.0.0.1
Allow from...
List of approved IPs line by line goes here
I want to do same configuration in one of my app and working on that. Because IP whitelist located in header of root .htaccess file, there is no any chance to load any file/subdirectory/URL from this domain, I will always get 403 error.
As I understand, all MySQL payloads will be dropped by server before even reach application with PHP/MySQL. The question that bothers me, what kind of attacks are still possible on this dashboard, with such .htaccess configuration in root, on latest Apache 2.4? Maybe there any ways to bypass it, with some tricky headers or something like that?
From what I am thinking, possible only:
- XSS attacks on client site, in case if data not filtered and printed in dashboard.
- CSRF attacks on dashboard if you know whitelisted users and application structure.
- Brutforce and scanning of non-web ports like FTP, SSH, SMTP, etc, where requests wont be dropped because of .htaccess whitelist
What else possible attacks should be considered while I am working on security? (Including attacks on client site that somehow linked or speaking with this dashboard)
Thanks
