Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Extra protection for Access MDB
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Extra protection for Access MDB
 Post Reply Post Reply Page  <12
Author
  Topic Search Topic Search  Topic Options Topic Options
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 12:35pm
I think the security alert is probably the best method, particularly as it is really annoying as it keeps popping up all the time continually in the admin area till the database is moved.

I also made it simpler to move with just 1 file needing to be updated and simple instructions to do it that you are taken to if you click 'OK' on the javascript alert.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 4:13pm
-boRg-, I agree that nagging the admin to choose a non-default location and file name is probably the best line of defense.  I wouldn't advocate an extension rename in place of your solution.  But (you knew it was coming), if a hacker discovers the path and file name, a method of preventing the database from being downloaded is a reasonable second line of defense.
 
dpyers, I'm looking forward to your results.  If there's something contained in one of your MDBs that causes a scripting error, perhaps something similar could be added to all our MDBs so that when they're renamed to .asp, a hacker is foiled.  If some servers will attempt to send an unknown extension and not give the 404 error as mine do, your script error may be a better universal solution.
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 4:51pm
I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.

Most web hosts now give a folder specifically for databases where the database can not be downloaded from, so hopefully the simple instructions, and annoying security alerts will encourage people to secure their database.

Most of the people I find are getting hacked simply don't read the install instructions and therefore don't realise they should secure their database, by forcing it in peoples faces it alerts them to this fact and hopefully should mean the majority of people will start to secure their databases in a folder out side of their web root.

Another idea I have, and have started to implement to a small degree in version 8, is to use error handling.

The error handling within the forum could be setup to either just display an error has occurred, or a detailed error message, with the default error message disabled from the admin area the hacker wouldn't be able to get the details of the database location, thus giving an extra layer of protection.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 6:09pm
Originally posted by -boRg- -boRg- wrote:

I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.
 
Absolutely!  Without a doubt or equivocation, the single best line of defense.

Originally posted by -boRg- -boRg- wrote:

...the hacker wouldn't be able to get the details of the database location, thus giving an extra layer of protection.
 
BRAVO!  I've been a little reluctant to point out that a hacker could force an ODBC error and thus cause the server to expose the path and filename of the MDB no matter where it is.
 
The combination of nagging admins to put their database in a secure location and preventing path exposure will definitely help make WWF less hackable.  Thumbs Up
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
Back to Top
dpyers View Drop Down
Senior Member
Senior Member


Joined: 12 May 2003
Status: Offline
Points: 3937 		Post Options Post Options   Thanks (0) Thanks(0)   Quote dpyers Quote  Post ReplyReply Direct Link To This Post Posted: 13 January 2006 at 1:35am
Originally posted by -boRg- -boRg- wrote:

I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded.


That's always the safest way.

Update on testing mdb's with asp extensions on different servers"
Seems to depend upon the db, not upon the server.
Access version doesn't seem to enter into it. Got 2 Access 2003 db's and one downloads and the other executes as asp. If I get a chance this weekend, I'll go after them with a hex editor and see if there's anything resembling a mime type in there.

Lead me not into temptation... I know the short cut, follow me.
Back to Top
 Post Reply Post Reply Page  <12

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.