Web Wiz Support and Community Forums : Extra protection for Access MDB https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Mon, 13 Apr 2026 19:58:19 +0000 Fri, 13 Jan 2006 01:35:42 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=17763 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[Extra protection for Access MDB : -boRg- wrote:I still think...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post97053.html#97053 Author: dpyers
Subject: 17763
Posted: 13 January 2006 at 1:35am

Originally posted by -boRg- -boRg- wrote:

I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.


That's always the safest way.

Update on testing mdb's with asp extensions on different servers"
Seems to depend upon the db, not upon the server.
Access version doesn't seem to enter into it. Got 2 Access 2003 db's and one downloads and the other executes as asp. If I get a chance this weekend, I'll go after them with a hex editor and see if there's anything resembling a mime type in there.
]]> Fri, 13 Jan 2006 01:35:42 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post97053.html#97053 <![CDATA[Extra protection for Access MDB : -boRg- wrote:I still think...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96883.html#96883 Author: JJLatWebWiz
Subject: 17763
Posted: 11 January 2006 at 6:09pm

Originally posted by -boRg- -boRg- wrote:

I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.
 
Absolutely!  Without a doubt or equivocation, the single best line of defense.

Originally posted by -boRg- -boRg- wrote:

...the hacker wouldn't be able to get the details of the database location, thus giving an extra layer of protection.
 
BRAVO!  I've been a little reluctant to point out that a hacker could force an ODBC error and thus cause the server to expose the path and filename of the MDB no matter where it is.
 
The combination of nagging admins to put their database in a secure location and preventing path exposure will definitely help make WWF less hackable.  Thumbs Up
]]> Wed, 11 Jan 2006 18:09:01 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96883.html#96883 <![CDATA[Extra protection for Access MDB : I still think the best line of...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96866.html#96866 Author: WebWiz-Bruce
Subject: 17763
Posted: 11 January 2006 at 4:51pm

I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.

Most web hosts now give a folder specifically for databases where the database can not be downloaded from, so hopefully the simple instructions, and annoying security alerts will encourage people to secure their database.

Most of the people I find are getting hacked simply don't read the install instructions and therefore don't realise they should secure their database, by forcing it in peoples faces it alerts them to this fact and hopefully should mean the majority of people will start to secure their databases in a folder out side of their web root.

Another idea I have, and have started to implement to a small degree in version 8, is to use error handling.

The error handling within the forum could be setup to either just display an error has occurred, or a detailed error message, with the default error message disabled from the admin area the hacker wouldn't be able to get the details of the database location, thus giving an extra layer of protection.
]]> Wed, 11 Jan 2006 16:51:59 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96866.html#96866 <![CDATA[Extra protection for Access MDB : -boRg-, I agree that nagging the...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96857.html#96857 Author: JJLatWebWiz
Subject: 17763
Posted: 11 January 2006 at 4:13pm

-boRg-, I agree that nagging the admin to choose a non-default location and file name is probably the best line of defense.  I wouldn't advocate an extension rename in place of your solution.  But (you knew it was coming), if a hacker discovers the path and file name, a method of preventing the database from being downloaded is a reasonable second line of defense.
 
dpyers, I'm looking forward to your results.  If there's something contained in one of your MDBs that causes a scripting error, perhaps something similar could be added to all our MDBs so that when they're renamed to .asp, a hacker is foiled.  If some servers will attempt to send an unknown extension and not give the 404 error as mine do, your script error may be a better universal solution.
]]> Wed, 11 Jan 2006 16:13:34 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96857.html#96857 <![CDATA[Extra protection for Access MDB : I think the security alert is...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96816.html#96816 Author: WebWiz-Bruce
Subject: 17763
Posted: 11 January 2006 at 12:35pm

I think the security alert is probably the best method, particularly as it is really annoying as it keeps popping up all the time continually in the admin area till the database is moved.

I also made it simpler to move with just 1 file needing to be updated and simple instructions to do it that you are taken to if you click 'OK' on the javascript alert.
]]> Wed, 11 Jan 2006 12:35:36 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96816.html#96816 <![CDATA[Extra protection for Access MDB : I just tried it with a .mdb renamed...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96780.html#96780 Author: dpyers
Subject: 17763
Posted: 10 January 2006 at 9:43pm

I just tried it with a .mdb renamed to .asp. First server I tried it on convinced be you were full of the stuff that makes the grass grow green as I cot an immediate script error.

Unfortunately, I tried it on another server with a different .mdb file to .asp and it downloaded the file and opened it as text. S I figure maybe I am full of that stuff.

Tonight I'll switched the files between the two servers and try again to see if it's caused by the file or by the server.
]]> Tue, 10 Jan 2006 21:43:25 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96780.html#96780 <![CDATA[Extra protection for Access MDB : dpyers - What kind of script extension...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96685.html#96685 Author: JJLatWebWiz
Subject: 17763
Posted: 09 January 2006 at 6:53pm

dpyers - What kind of script extension are you talking about?  When I changed my wwForum to .asp, I got the full file sent to me and I was easily able to pick out all the raw data from the stream.  The data was mangled enough that Access would not open it when saved to my PC, but it's probably repairable.  But even without repair, the data is intact.  My test involved a smallish 900K test file, so maybe the server would timeout with a larger file.  And maybe your test file circumstantially has code that causes the error.  Perhaps you could test it with an empty wwForum as supplied with the WWF setup.
 
In any case, if either technique works, it's better than leaving the MDB in the default folder with the MDB extension.  IMO, a 404 error is a better result since the hacker may assume that the file does not actually exist.  Some other result may be less secure since it's possible that even a script error could be leaking data.
 
Does anyone know of file permissions that would allow file access only by ODBC via a script but not by the http server directly?  Or is that too close to Nirvana?
]]> Mon, 09 Jan 2006 18:53:26 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96685.html#96685 <![CDATA[Extra protection for Access MDB : A lot of webservers will default...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96507.html#96507 Author: dpyers
Subject: 17763
Posted: 07 January 2006 at 12:39am

A lot of webservers will default to delivering text if the mime type/extension is unknown to them. Using a script extension will cause the server to try to execute the file as a script - which will then error out - the entire file is not delivered to the browser, just the script error.]]> Sat, 07 Jan 2006 00:39:47 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96507.html#96507 <![CDATA[Extra protection for Access MDB : Why dont you just by default not...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96501.html#96501 Author: MadDog
Subject: 17763
Posted: 06 January 2006 at 9:03pm

Why dont you just by default not setup the connections file?

I can see how this would lead to a lot more forum posts, but on the other hand you wont get a bad rep from all the noobs not changing the database path and getting hacked.]]> Fri, 06 Jan 2006 21:03:19 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96501.html#96501 <![CDATA[Extra protection for Access MDB : At the moment it only gives a...]]> https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96492.html#96492 Author: WebWiz-Bruce
Subject: 17763
Posted: 06 January 2006 at 6:30pm

At the moment it only gives a warning for the database, and errorhandling for email porblems, database connection problems, and databaseupdate errors.

Checking the server permissions would be slightly harder, but checking for weak passwords is also a good idea.
]]> Fri, 06 Jan 2006 18:30:44 +0000 https://forums.webwiz.net/extra-protection-for-access-mdb_topic17763_post96492.html#96492