| Author |
 Topic Search  Topic Options
|
WebWiz-Bruce 
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
 Post Options
 Thanks(0)
 Quote  Reply
 Posted: 11 December 2007 at 11:12am |
|
With Access you can often get away with change the .mdb extension to .asp
The Access database would still work when connected to by the JET database driver used by Web Wiz Forums, however, because .asp files get parsed by the ASP.DLL by the web server, if a hacker tried to download the file they would just see an error message thrown by the web server and can't actually download the database.
|
|
|
 |
efscl
Newbie
Joined: 13 May 2007
Status: Offline
Points: 37
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 1:39pm |
|
a quick not to parent paths
I am not sure - but i read often that allowing "Enable parent paths" on IIS is an security hole. When you do he "security check" with the base line security analyzer - this comes up too.
Borg and audience: Your meanings about that?
|
|
jamie.townsend
Groupie
Joined: 07 December 2007
Location: England
Status: Offline
Points: 114
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 2:44pm |
You're right that parent paths are best disabled. (Note that parent paths are enabled by default.) Parent paths refers to the ability to use a double period (i.e., ..) in the pathname to refer to a folder above the current folder so that you can move up the folder tree without knowing the folder name or where you are in the hierarchy.
The security risk of parent paths is that intruders can upload and run a script to move up the folder tree. When the script reaches the root, it can move down from there into known folders that might have elevated privileges (e.g., C:\wwwroot\inetpub\scripts, which has Everyone Full Control permission by default, or C:\winnt\system32).
|
|
GrlGeek
Newbie
Joined: 10 December 2007
Status: Offline
Points: 7
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 4:00pm |
|
So, should I opt for the physical path, is that more secure? And then I'd just need to have the permissions adjusted? I have a conference call with the hosting company today.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 4:24pm |
|
You don't need to have parent paths enabled to use Web Wiz Forums.
If you wish to place the Access database in the root folder, then the physical path would be better.
However, Access can only handle a handful of users, I would suggest that you look at using either the mySQL version or better still SQL Server version, as these can handle many 1000's of simultaneous connections.
|
|
|
|
Jono
Mod Builder Group
Joined: 18 September 2006
Location: United Kingdom
Status: Offline
Points: 100
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 5:52pm |
I would recommend using the physical path. You can use the Request.ServerVariables("APPL_PHYSICAL_PATH") to find out what the physical path is (default install gives C:\Inetpub\wwwroot\). Then create a random folder name and put your access database in there with random file name and an asp extension.
As boRg says, some form of SQL server is the way forward. It may be worth considering Web Wiz to host your forum ( http://www.webwiz.net/), if you have any difficulty with your current provider. |
|
GrlGeek
Newbie
Joined: 10 December 2007
Status: Offline
Points: 7
|
Post Options
Thanks(0)
Quote Reply
Posted: 13 December 2007 at 6:52pm |
|
Thanks, y'all. I was able to get the physical path, but I was unable to adjust the permissions on the directory to allow access. GoDaddy uses something called Plesk for the admin interface, and I could see the options I needed, but they were greyed out, even though I was logged in as the server admin. Unfortunately, Web Wiz is not the only added software package I need to run, and the shopping cart has the same issues. The client is switching to a hosting account which will include assistance from the hosting company to get things set up on the virtual dedicated server, so once they get the new server configured I should be able to use the information you've been so kind to share to get things up and running.
SQL is definitely on the agenda (at least it's on MY agenda), but we will probably wait to see if the traffic warrants a switch. The forum has a fairly narrow audience, military veterans seeking civilian career skills assistance, so it may be a while before we have to worry about volume. Of course the client hopes it will be enormous, so I may be back for the SQL version yet.
Thanks again for all the help!
|
|
GrlGeek
Newbie
Joined: 10 December 2007
Status: Offline
Points: 7
|
Post Options
Thanks(0)
Quote Reply
Posted: 14 December 2007 at 4:58am |
|
Is that the regular hosted accounts or a dedicated server? We're getting a dedicated (virtual) server, do you know what about the servers is incompatible with Web Wiz? The forum was actually "running" earlier today, in that it would display, but the permissions were not set correctly to allow me to log in, which required a write, I believe. I'd post a link but the server has already been taken down in preparation for moving to the new "assisted" account. I told the tech support during the conference call what I was trying to install, he never mentioned not being able to run it. This server is supposed to be customized to our specifications, it's not one of the vanilla hosted accounts. I hope I can give you some good news in a few days, they did say it might take up to 36 hours to complete the configuration.
|
|
