So, I was involved in one of the projects where the client site and the admin panel / dashboard were hosted on different sites. Not like a lot of CRM or 90% of the common sites (just in / admin or other URL location on the root client site), but literally on different areas.
To access the interior of the dashboard login page, the user must make a request to the client site (open to everyone), on a specific URL, where after the process with some questions / verification , its IP is added to the database. On the dashboard site running a script, which retrieves the array of trusted IP addresses and rebuilds the root .htaccess according to the pattern every x minutes. The final .htaccess file looks like this:
Deny from all
Allow from localhost
Allow from 127.0.0.1
List of approved IPs line by line goes here
I want to make the same configuration in one of my applications and work on it. Because the IP whitelist located in the header of the .htaccess root file, there is no chance of uploading a file / subdirectory / URL to this domain, I will always get a 403 error.
As I understand it, all MySQL payloads will be dropped by the server before they even reach the application with PHP / MySQL. The question that bothers me, what kind of attacks are still possible on this dashboard, with such a .htaccess configuration as root, on the latest Apache 2.4? Maybe there are ways to get around it, with difficult headers or something like that?
From what I think, only possible:
- XSS attacks on the customer site, in case the data is not filtered and printed in the dashboard.
- CSRF attacks on the dashboard if you know of whitelisted users and
- Brutforce and scanning non-web ports such as FTP, SSH, SMTP, etc. where requests will not be deleted due to the .htaccess whitelist
What other possible attacks should I consider while working on security? (Including attacks on the client site that linked or spoke with this dashboard)