| Author |
 Topic Search  Topic Options
|
JJLatWebWiz 
Groupie
Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136
|
 Post Options
 Thanks(0)
 Quote  Reply
 Topic: Extra protection for Access MDB
Posted: 05 January 2006 at 4:41pm |
I think I found a pretty good technique to protect the MDB file used in the Access version of WWF (or any web app using Access). Rename the file extension to something that the server doesn't know how to handle and the server sends a 404 error making it apparently hidden.
We've all read it, right  ? It doesn't make any suggestions for a file name or mention a new extension. Some discussions on this forum have suggested changing the extension to something like ".asp" so the server will attempt to process the file as if it were a script. But a known file extension could cause recognizable data to be sent to the client. Also, the server will send the entire file using bandwidth and processing time. BUT, if you name the file something like ".wwf", the server doesn't know what to do with that extension and immediately sends a 404 File Not Found error message.
I got the idea when I was trying to add kmz files to my site so users could download my Google Earth placemarks. When people would try download such a file, the server would send a 404. I had my host add the file extension and MIME type, so kmz works.
There may be some way around it, but many users have no ability to put a database in a folder above the web root, so an unaccounted for extension might be a simple bit of extra protection for the mdb. Of course the common.asp files have to be modified to match the new filename.
|
|
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
|
 |
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 January 2006 at 11:58am |
Good idea, but allot web servers will still send the file to the browser which will ask the user to download the file.
What I have decided to do for the next version, just like in the new
Web Wiz Guestbook v8, is that if the database is not moved or renamed
every time you go to the admin menu, in the admin area, a rather
annoying pop-up will appear with the following message:-
 SECURITY ALERT!!
Your Forums's Access database has not been secured.
Click \'OK\' to view information on how to secure your Forums's Access database.
http://www.webwiz.net/web_wiz_forums/kb_access_move_db_forum.asp |
As well as this I'vce also changed the way the forums files are
structered so now there is only 1 file that needs to be changed for the
database configuration.
|
|
|
|
JJLatWebWiz
Groupie
Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 January 2006 at 6:14pm |
I guess some servers will attempt to serve the request, but it seems to be a fairly common also that unknown extensions cause a 404, which should be very safe. I've confirmed the 404 error with unknown extensions with 3 different hosting companies that I use. It also worked (caused a 404 but the forum still runs) with no extension at all.
I really like the idea of warning the admin of potential insecurities. Perhaps you will consider adding other security checks. For example, evaluate the read/write permissions on the forum folders, check if the default setup files (like msSQL_server_setup.asp) still exist, check for default or weak admin password.
|
|
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
|
|
WebWiz-Bruce
Admin Group
Web Wiz Developer
Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 January 2006 at 6:30pm |
|
At the moment it only gives a warning for the database, and error
handling for email porblems, database connection problems, and database
update errors.
Checking the server permissions would be slightly harder, but checking for weak passwords is also a good idea.
|
|
|
|
MadDog
Mod Builder Group
Joined: 01 January 2002
Status: Offline
Points: 3008
|
Post Options
Thanks(0)
Quote Reply
Posted: 06 January 2006 at 9:03pm |
|
Why dont you just by default not setup the connections file?
I can see how this would lead to a lot more forum posts, but on the other hand you wont get a bad rep from all the noobs not changing the database path and getting hacked.
|
|
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 07 January 2006 at 12:39am |
|
A lot of webservers will default to delivering text if the mime type/extension is unknown to them. Using a script extension will cause the server to try to execute the file as a script - which will then error out - the entire file is not delivered to the browser, just the script error.
|
Lead me not into temptation... I know the short cut, follow me.
|
|
JJLatWebWiz
Groupie
Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136
|
Post Options
Thanks(0)
Quote Reply
Posted: 09 January 2006 at 6:53pm |
dpyers - What kind of script extension are you talking about? When I changed my wwForum to .asp, I got the full file sent to me and I was easily able to pick out all the raw data from the stream. The data was mangled enough that Access would not open it when saved to my PC, but it's probably repairable. But even without repair, the data is intact. My test involved a smallish 900K test file, so maybe the server would timeout with a larger file. And maybe your test file circumstantially has code that causes the error. Perhaps you could test it with an empty wwForum as supplied with the WWF setup.
In any case, if either technique works, it's better than leaving the MDB in the default folder with the MDB extension. IMO, a 404 error is a better result since the hacker may assume that the file does not actually exist. Some other result may be less secure since it's possible that even a script error could be leaking data.
Does anyone know of file permissions that would allow file access only by ODBC via a script but not by the http server directly? Or is that too close to Nirvana?
|
|
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
|
|
dpyers
Senior Member
Joined: 12 May 2003
Status: Offline
Points: 3937
|
Post Options
Thanks(0)
Quote Reply
Posted: 10 January 2006 at 9:43pm |
|
I just tried it with a .mdb renamed to .asp. First server I tried it on convinced be you were full of the stuff that makes the grass grow green as I cot an immediate script error.
Unfortunately, I tried it on another server with a different .mdb file to .asp and it downloaded the file and opened it as text. S I figure maybe I am full of that stuff.
Tonight I'll switched the files between the two servers and try again to see if it's caused by the file or by the server.
|
Lead me not into temptation... I know the short cut, follow me.
|
|
