How to prevent your forum being hacked
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17689
Printed Date: 29 March 2026 at 2:48am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: How to prevent your forum being hacked
Posted By: WebWiz-Bruce
Subject: How to prevent your forum being hacked
Date Posted: 31 December 2005 at 12:18pm
|
Web Wiz Forums is one of the most secure forum packages around, and
this can be seen by the very few vulnerabilities that have been found in
the software and the 24 hour patch turn around for any that are found
(this is why allot of large hacking sites use Web Wiz Forums). However, your forum is only as safe as you make it, and often people don't follow the install instructions on securing their forum, then blame it on the software when their forum is hacked. The Turkish hacker, is just one hacker, who constantly hacks unsecured Web Wiz Forums installations on a daily basis. Like all hackers he is using a number of exploits to get in and delete or deface forums, on sites that have; insecurely setup servers, running old versions or incorrectly patched Web Wiz Forums, or those who simply have not followed the install instructions to secure their forums Access database. Please read the following on how forums and web sites are hacked and ways to prevent it:-
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Replies:
Posted By: dfrancis
Date Posted: 31 December 2005 at 4:43pm
| BoRg, can you explain number 3? (Privately if you think better.) I'm not familiar with this exploit. |
Posted By: Amateur
Date Posted: 01 January 2006 at 2:36am
|
Cheers BoRg, thanks for the pointers. Now people, wake up and obey them and dont be complaining in time when you have been hacked. |
Posted By: megetron
Date Posted: 01 January 2006 at 9:22am
I didnt know that option 4 is unsecured..
good to know. thanks.
|
Posted By: megetron
Date Posted: 01 January 2006 at 9:25am
|
Jus one question about 1... How can they know what is the file name if U have changed it? hackers can only guess..am I write?
|
Posted By: Lynford
Date Posted: 01 January 2006 at 7:40pm
I left it and left it (cos I couldn't understand what to do  ) and surprisingly enough - I got done I'm not very experienced but it really is pretty easy to do once you concentrate  |
Amateur wrote:Posted By: WebWiz-Bruce
Date Posted: 03 January 2006 at 2:01pm
Yes, it quite easy, you should always secure your server by disabling write and modify permissions on public folders. If you don't any hacker armed with simple hacking tools is able to place files onto the server through HTTP and deface web sites. This is how web sites are usally defaced. I was tought how to do this as a security part of a network unit at University and it is so simple 12 year old hackers often just download simple tools to do this. This is why most sites are hacked around the school holidays. I haven't used it for a long time but as far as I remember the IIS lockdown tool from MS disables write and modify permissions for public folders (I could be wrong about this tool). For this site the only permissions I allow for the IUSR account on public folders is read. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: WebWiz-Bruce
Date Posted: 03 January 2006 at 2:04pm
Another simple thing to do, if your server is setup to send detailed ASP debugging errors to the client (most are) then it is quite simple to course an ASP error that can give details of the database name and location. This is why all Access databases need to be placed in secure folders. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Praveen
Date Posted: 04 January 2006 at 2:28am
|
Hi Iam Praveen. I have hosted WebWiz Forums in Websamba, I have some problems: What is the problem and what should I do? ------------- 
|
Posted By: MadDog
Date Posted: 04 January 2006 at 2:46am
|
Your on a free web server. You need to download and install the Lite version of the forum. ------------- http://www.iportalx.net" rel="nofollow"> 
|
Posted By: wistex
Date Posted: 15 January 2006 at 1:22am
Allowing people to upload is always risky. ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: ahmed4chat
Date Posted: 16 January 2006 at 10:44am
|
thanx borg for instruction it will help new webmaster
|
Posted By: wistex
Date Posted: 01 February 2006 at 7:12am
|
When version 8.0 comes out, all MS Access users should probably switch to MySQL if they are able to. MySQL is free and is more secure and robust. And many Windows Web Hosts are now offering MySQL databases with their web host accounts. I think most people use the MS Access version because MS SQL costs money, but since MySQL is free and runs on Windows, typically there will be no reason to use MS Access anymore. (The possible exception being people who using sucky free hosting accounts.) People switching to MySQL from MS Access would eliminate a lot of the security issues right there (as far as user set-up errors are concerned). ------------- http://www.wistex.com" rel="nofollow - WisTex Solutions http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums |
Posted By: Buddy
Date Posted: 06 February 2006 at 12:13pm
|
My forum was hacked and someone locked the forum. Anyone know how I can I unlock it?
Buddy |
Posted By: WebWiz-Bruce
Date Posted: 06 February 2006 at 12:31pm
|
1. Make sure you are running the latest version and if you are running Access you have secured your database so it doesn't happen again. 2. To unlock the forum, log directly into the admin area, by pointing your browser at the 'admin' folder. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Buddy
Date Posted: 06 February 2006 at 12:39pm
| I am not sure what the link is directly to my admion folder. Can you PM or post an example? |
Posted By: WebWiz-Bruce
Date Posted: 06 February 2006 at 1:07pm
|
Navigate your web browser to the folder within the forum folder called 'admin' eg:- www.mysite.com/forum/admin ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: b_w_t
Date Posted: 16 February 2006 at 12:14am
|
Now i see why i suddenly got an unknown turkish member with an invallid e-mail address and weird entries from his IP in the logfiles.
glad that i followed the security pointers.
Blocked his IP
|
Posted By: frufru
Date Posted: 23 February 2006 at 8:16pm
|
for number 3, if I have Modify permission disabled for the forum's folder, it will give an "error writing to database" error... Oh, and is it OK to have the database named as some really long name like ijrovosodofigosdjfoig8q4nq9j32333rq.mdb , keeping it in the "database" folder, and using a default.asp file in there to cover up file listings for the folder? oh, and howcome my registration date says "October 2003" when I only installed the forum 2 days ago? |
Posted By: WebWiz-Bruce
Date Posted: 24 February 2006 at 8:55am
|
Number 3 is to disable write and modify permissions on public folders in your site, not the database folder which, if you had followed point 1, will not be in a public folder on your web site. Renaming the database is a good idea, but if you leave it in a public folder a hacker can still get hold of it, as a hacker could course a server crash that would display the name and location of the database within the server error. "October 2003" is when the Access database was created. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: jeffdaro
Date Posted: 01 March 2006 at 2:54pm
I can provide a non WWF anecdotal example. Some friends and I sat down one night to come up with a stupid Internet idea, and after 2 nights http://www.human8ball.com - www.human8ball.com was born. We added a place where people could upload their own images, and in the first phase we didn't secure this very well, must have been the beer coding. Since the upload folder needed write priv's, someone was trickey enough to upload an ASP, instead of a JPG, and then they were able to run it. Luckily for us there was no damage done, and we caught the hole and patched it. But this is an example of how simply allowing an unchecked upload can give someone access to your server. BTW, I think everyone should upload a cool answer picture to my http://www.human8ball.com - human8ball.com web site , ASAP. LOL. |
Posted By: savvyboarder
Date Posted: 30 April 2006 at 6:05pm
|
Hi, i'm just curious how to place a username and password on the "database_connection.asp" file if i want to add that to my database? Its available on the SQL Server script, but i want to add it to my Access DB.
Anybody have suggestions?
Cheers,
BW
|
Posted By: WebWiz-Bruce
Date Posted: 02 May 2006 at 12:05pm
|
You don't use a username and password with Access, because it is a flat office file, not a server that requires you to login like SQL Server. To protect an Access database file it needs to be placed in a folder that doesn't have public access so that it can not be downloaded by a hacker. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: 34747Forum
Date Posted: 20 May 2006 at 7:50am
|
Hi -boRg-
I search the forum for answer of how to convert, migrate, import or upgrade and access 7.9 webwiz database to the new SQL 8.01,
and I can find it.
Can you please guide me to that tool or code.
I just upgrade my forum from 7.9 access to 8.01 SQL, and I need to convert the database.
Also do I need to buy a new license for this upgrade or I can use the one that I already got?.
Thanks in Advanced....
------------- Alex Maldonado |
Posted By: WebWiz-Bruce
Date Posted: 20 May 2006 at 9:22am
|
You will first need to upgrade your Access database from version 7.x to version 8.01 Once that is done, the hard part is upsizing the Access database to SQL Server. Access has an Upsize Wizard built in, but people have had different experiences of using this with different amounts of success. But if you search this and the version 8 forum you should find a number of topics and posts on this. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Skyforum
Date Posted: 25 May 2006 at 1:49am
|
I am using webwiz to create a forum for the buying and selling of tow trucks. Obviously, the best thing for me is to make uploading of their truck pics possible on the forum.
I realize that it is a security issue, but maybe you could throw a few pointers out on ways I might be able to make the site more secure and still allow my members the ability to upload.
I do have a double backup system in place that will allow me to go back and reinstall the forum in it's entirety without too much trouble with only a minimal loss of information and I have already set the permissions to require any new posts be approved before they become accessible.
I would love to hear any other ideas anyone might have....
|
Posted By: WebWiz-Bruce
Date Posted: 25 May 2006 at 8:26am
|
If you want to enable uploading in your forum the best way to secure your site is to only have write, and modify persions set for the IUSR account on the upload directory, all other directories in your site set to 'Read' only for the IUSR account. This will give you maximum security, if the uploads feature is comprimised, the hacker can only disrupt files in the upload folder. You may need to get your web host to setup these permissions if you do not have direct access to the server yourself. If you are running Access databases then the database folder needs to hav read, write, and modify, permissions also set, but this database folder should be placed outside of the web sites root anyway. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Skyforum
Date Posted: 25 May 2006 at 5:26pm
|
Thanks. I have my own server using Microsoft's 2003 and I also have MsSql Server 2000 SP2 and IIS 5. Thanks for the good info. I had given the iusr account full control on the uploads folder. I have since corrected that.
I also changed my backup procedures to include a twice a day backup of the uploads folder. That way, if someone does manage to corrupt it, I won't lose much and can easily replace it.
So far, Vers 8 seems almost ridiculously fast. Kudos to a job well done. I believe it was money well spent and probably worth more than I paid for the license key.
 |
Posted By: WebWiz-Bruce
Date Posted: 25 May 2006 at 7:25pm
|
Don't forget to also make sure the IUSR account only has 'Read' Access on all other folders in your website.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SMR Group
Date Posted: 05 June 2006 at 11:41pm
|
Two additional things. It is possible to password protect an Access database then pass username/password data via the connection string and a system DSN.
It's also a mistake to think MySQL is more secure than Access "out of the box" because MySQL has its own vulnerabilities.
For example, it's important to restrict the permissions for the user account Web Wiz Forums uses, you don't want to give it "Drop" permissions!
MySQL accepts external connections - ie. straight to the database - via a Windows port. Therefore I always suggest disabling MySQL TCP/IP, enabling named pipes and blocking the MySQL port on the server firewall just to be sure.
|
Posted By: WebWiz-Bruce
Date Posted: 06 June 2006 at 10:02am
|
Thanks for your comments, although the password thing for Access databases has been covered in great detail before, and is a complete waste of time, as Access passwords are one of the simplest passwords to crack, there are hundreds of tools to do this. The only way to protect an Access database is place it in a folder outside the website so it can not be downloaded, by suggesting to people it is safe to password protect an access database will give people the impression that they don't need to move the database to a secure folder and password protecting the database will give them security. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: SMR Group
Date Posted: 06 June 2006 at 5:03pm
I think you've misunderstood, you re-read my post, I didn't suggest anything of the sort.
Savvyboarder asked:
"Hi, i'm just curious how to place a username and password on the "database_connection.asp" file if i want to add that to my database?"
You replied:
"You don't use a username and password with Access, because it is a flat office file, not a server that requires you to login like SQL Server."
What I added was that it is possible to add a password to an Access string. There's no reason not to, it adds another deterrent, albeit only to casual hackers, in addition to placing the database file beneath the root and giving the folder ample security restrictions.
I also wanted to point out that MySQL is not a quick and simple answer to increased security, in its default state with TCP/IP open it is just as vulnerable to attack.
|
Posted By: WebWiz-Bruce
Date Posted: 06 June 2006 at 5:41pm
|
You are right on all points, I just wanted to make it clear to people that password protecting an Access database will not make it secure, before I get a flood of people saying they have been hacked because they thought they had secured their Access database by putting a password on it, without securing it properly. I've been down that road before. I also want to put people off using the Access version, as Access isn't very good database, and I get allot of support questions when Access can't cope and people find they can not simply swap over to using SQL Server or mySQL without great difficulty. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: get_up
Date Posted: 10 June 2006 at 2:05am
|
Have 2 questions : 1-i have secured my database like this : Put password ,change folder,change name of db (but inside pages folder)..Can they find it?? or i must change it to outside root ??
2-I have 5000 member in my forum .. and using access ..will i have problems later with access when i got 10000 memebers for example...??..and how to convert it on sql server ??
Thanks
|
Posted By: WebWiz-Bruce
Date Posted: 10 June 2006 at 9:11am
|
1- Access passwords are useless and just moving the Access database is also no good as a hacker can trip up and ASP page forcing it to give an error disclosing the location and name of the database. The only safe way is to place it above the root of your web site in a folder that is not accessible via a web browser. Most hosts will give you a 'private', or 'database' folder for this. 2 - Access is a desktop database and not really up to the task of a backend for a forum which puts allot of strain on the database. In my experience I would not run an Access database above 10Mb as a forum backend, if you get allot of traffic then this figure could be even less. The problem with Access unless you have a forum with only a handful of members, it WILL eventually get corrupted, whether you will be able to recover the database will be very hit and miss. Access has an upsize tool for upsizing the database to SQL Server, but again this tool is very hit and miss, and moving from Access to SQL Server is not a simple task. With 5,000 members you should certainly NOT be using Access, it could be anytime that your database will crash and die. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: lydbury
Date Posted: 10 June 2006 at 9:53am
| Amen to that. I was running well on Access - but now my forum is much more busy - 1,000 members and some 250-300 posts per day - it cannot cope. I am moving to MySQL as quickly as I can. |
Posted By: get_up
Date Posted: 10 June 2006 at 5:05pm
| sO Borg up to u what should i do ..casue my access is increasing every day and im afraid pf losing data s...how to move to mysql with 18 mb access...help please.. |
Posted By: WebWiz-Bruce
Date Posted: 12 June 2006 at 8:14am
|
If you do a search of the forum you will find a number of posts on how other people moved to mySQL. There are lots of free tools available if you look through the mySQL site that will move an Access database from Access to mySQL, some work better than others. If you have a look at the tools others have used in this forum to do this it should give you an idea of what to use. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: get_up
Date Posted: 16 June 2006 at 4:05pm
| Sorry Borg but i didnt find anything about passing from access to sql server...can u tell me the links or sources...I found some tools on other sites but her Nothing!!! |
Posted By: WebWiz-Bruce
Date Posted: 16 June 2006 at 4:30pm
|
I've never tried this myself, but apparently there is a migration toolkit at mySQL.com
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: DonPMitchell
Date Posted: 04 July 2006 at 1:44am
|
This is probably a very naive question, but what is to prevent a hacker from downloading the database/database_connection.asp file, and then looking at it to discover the folder and file name where the Access database is stored?
|
Posted By: WebWiz-Bruce
Date Posted: 04 July 2006 at 11:52am
|
The database/database_connection.asp is an ASP file which means the server will not allow the file to be downloaded. Instead if you try and call the file in your web browser the file will be parsed by the web server and all the end user will see in their web browser is a blank page. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: DonPMitchell
Date Posted: 04 July 2006 at 11:11pm
|
One more naive question? Is it safe to implement picture upload, or does that require that I set write permissions that might open the door to hacking? |
Posted By: WebWiz-Bruce
Date Posted: 05 July 2006 at 8:26am
|
To enable file and image uploading you need to set, read, write, and modify permissions on the upload directory. This can be a security risk, but as long as the upload directory is the only directory on your site that has these permission you should be fairly safe. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: tchoune
Date Posted: 11 July 2006 at 4:42pm
|
the turkish as*ole just wiped my board. *sigh* never thought I will be a target, a french board that talk of books, thats nonsense. I have a backup but I dont want to put it back, he will only do it again. For now I have blocked the board. is there a way to find out by which mean he hacked the forum, am afraid for the rest of my website. My database is in a secure folder. I think my permissions are set securely as well. must be my 7.7 version the problem tho. I was waiting the be up to date, changing version is lots of works. I have download my hacked database version, he suscribe with the Hacker name, clean out the tblforum and ereased all the messages (tblthreads) so, did he hacked my admin name? or had access to my database? |
Posted By: WebWiz-Bruce
Date Posted: 11 July 2006 at 5:00pm
|
If he got in as the admin it sounds like he downloaded your database and got data that way to get into your forum as the admin. You should upgrade to version 8 and make sure you secure your database in a folder outside of your web site ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: tchoune
Date Posted: 11 July 2006 at 5:44pm
ok I will do that, I just submit a ticket to my host to ask them advice about where to put the database to be even more secure. I have a question tho about my backup. Its 2 weeks old, so am wondering if I can take the new entries in tblAuthor for the new members (until this morning and without the Hacker username) and paste them in my backup database? it the table related to others? thanks, borg |
Posted By: WebWiz-Bruce
Date Posted: 12 July 2006 at 9:24am
|
tblAuthor is probably one of the only tables you can do this with, but make a backup first incase it doesn't work out.
------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: DonPMitchell
Date Posted: 30 September 2006 at 11:15pm
| Hi, I was wondering about the security of picture upload. Is the issue here similar to protecting the access database? That is, if I rename the picture upload directory, will it be impossible for a hacker to know where it is? |
Posted By: dj air
Date Posted: 01 October 2006 at 1:10am
|
this wont stop a hacker jnowing where it is, as he just has to check all picture sources to see where it is stored and that will show where it is, and all he has to do is try his script to that directory. the only way i know of is to stream the image though a .asp page ... with the images stored elsewhere i use a simular system for my download manager, i store the zips off site (out of the root) and run them from a .asp page that has to come from my website else will be rejected. (simple way said) it has encreyoption on urls etc to check it etc |
Posted By: DonPMitchell
Date Posted: 11 October 2006 at 5:41am
| What if the pictures are uploaded to a secret writable directory and then copied to a public read-only directory for storage? Can a server-side ASP script do that? |
Posted By: dj air
Date Posted: 11 October 2006 at 10:30am
|
yo could upload to a directory then move them over, but there still lies risks.
|
Posted By: WebWiz-Bruce
Date Posted: 11 October 2006 at 1:02pm
|
To do what you require would mean you running a batch file sever side that run under the server admin account or some other account that has write permissions on the directory you want to move the file to. Unless you have a dedicated server than this type of thing isn't even possible. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: bims
Date Posted: 19 January 2007 at 9:02pm
|
Hi all, I've been moving my sites to a new host - however, they give me the path to my root folder and say all other folders (including database) must be created from there. I expressed my concerns about safety of my database and they said they could remove read access on the folder (?). I'm a bit concerned as i've always had my database outside my root which is standard advice for most access database driven applications. Is there any way around this? I'd hate to have my db downloaded! and site hacked! |
Posted By: WebWiz-Bruce
Date Posted: 20 January 2007 at 10:34am
|
Removing read access wouldn't work as the database could not then be opened by the forum, so that solution is useless. I've not heard of a windows web host for 10 years now that doesn't have a database directory outside of the root of the website. Either your web host is stuck in a time warp or they don't have proper experince at windows web hosting. My advice is dump your new web host and find one that takes security seriously. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: bims
Date Posted: 20 January 2007 at 5:35pm
|
Thanks borg. This was their response, is this right? "Strictly speaking it's not necessary to do this though - by removing the READ permissions for your DB folder in IIS you give it the same security as having it outside the root since it's not readable from the web (only via your DSN)." |
Posted By: WebWiz-Bruce
Date Posted: 20 January 2007 at 5:48pm
|
Web Wiz Forums uses a faster DSN-less connection. This uses the IUSR account to connect to and read from the database. If you disable read access for the IUSR account (which is what you web hosts says) then Web Wiz Forums can not open the database. Your web hosts solution would not work and they should give you a folder above the root for placing files such as database within. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: tripp2loo
Date Posted: 19 February 2007 at 3:14pm
|
Just so you know, I am an IT proffessional, but completely new to created web sites and forums. I have been doing it now for a full 2 weeks. I don't want to seem like a complete pleb, but what distinguishes a public folder from a private folder.?
I have my site setup, and the forum, but I am sure it is not secure. I have moved my DB so some sub folder. Can some be a little more granular about rights on folders and files, that are required to be set. I am running the access DB version and my host or should I say mein host is 1and1.
All help greatly appreciated.
|
Posted By: WebWiz-Bruce
Date Posted: 19 February 2007 at 3:32pm
|
A private folder for databases would be a folder outside of the public folder of your web site. As sub folders usually have the same public permissions as your web site it would be no good there as a hacker can still access the folder and download your database using a web browser. Usually most web hosts will give you a folder above the public root folder of your web site. This folder can only be accessed via FTP which means a hacker can not use a web browser to download your database. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: tripp2loo
Date Posted: 19 February 2007 at 5:13pm
| Would this be the same as the _private folder? |
Posted By: WebWiz-Bruce
Date Posted: 19 February 2007 at 5:37pm
|
If it outside of your public web site then yes. However, I would recommend asking your web hosting support they usually have a folder setup for you. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: tripp2loo
Date Posted: 19 February 2007 at 9:02pm
|
Well I am waiting on a response back from the host I have another quick one for you.
Does IUSER_* need write and read permissions to the Access DB?
Also
Do we need Global.asa, which FrontPage seemed to have created automatically?
I have permission to change these, so any help would be wecome.
For now, I have changed the setting to not allow browse to the DB folder, but this must be set for folders that contain images and the such, correct ?
Cheers
|
Posted By: MadDog
Date Posted: 20 February 2007 at 3:05am
Is your host asking you this question? If they are CHANGE HOSTS!!!!!!!! If ANY host has to ask this question, they do not know crap about security and you should not trust them to run any website, PERIOD. ------------- http://www.iportalx.net" rel="nofollow">
|
Posted By: MadDog
Date Posted: 20 February 2007 at 3:06am
|
oh ya sorry, to answer the question, YES the IUSER_* user does need read/write/modify permissions on the database. Most hosts provide a folder outside the HTTP directory with full permissions for this type of thing. ------------- http://www.iportalx.net" rel="nofollow">
|
Posted By: tripp2loo
Date Posted: 20 February 2007 at 3:36am
It was me asking this, and yeah, you are right, I don't know crap about internet security 
Looks Like I figured out, it needs to be there. Only thing is, the DB folder is not browsable, but the global.asa file points right to it
 |
Posted By: Leathal
Date Posted: 23 February 2007 at 6:32pm
|
Very useful information here but I would like to add that a good firewall with HTTP filtering should also be considered when using any kind of web base forum application.
The Access DB thing... If you must use it Access Borg is right about moving he database else were, but I would suggest if you have access to MS SQL to use that instead, I am not sure of this forum will support 2005 as I know MS was giving away a version of it and still may to their MSDN clients which btw costs $400 USD a year and gives you access to pretty much all of Microsoft's products for testing purposes as they call it but without containing any time bombs.
Leathal
|
Posted By: WebWiz-Bruce
Date Posted: 24 February 2007 at 2:08pm
|
Web Wiz Forums works under mySQL and SQL Server 2005 Express version, both of these are excellent database servers and are both free. The free version of SQL Server 2005 (SQL Server 2005 Express) is free for anyone to download from the http://www.microsoft.com/sql/ - Microsoft SQL Server web site, so you don't need to be an MSDN subscriber to download it. mySQL is also free and is just as good as SQL Server when running Web Wiz Forums. Both mySQL 4.1 and mySQL 5+ are supported. Either of these two database systems are much better than Access, and not only for security but also for performance. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 20 March 2007 at 1:41pm
|
Hello all
i'm one of the first user who develop a personal porting for MySQL (do you remember Borg ?)
I'm runnign 7.x version....i know i have to update to last official version, but i need more time first to update for prevent lost data....
in this time i have a problem.
Yesterday my provider contacted me, saying about 10.000 email starting from my forum without my authorization.
Do you know something about this problem ?
Are there some exploit that abilitate someone to send email from forum ?
|
Posted By: WebWiz-Bruce
Date Posted: 20 March 2007 at 3:17pm
|
It would be very difficult for this type of thing to come from the forum, as any email sent requires the user be logged in. Version 7.96 onwards has extra protection built in to prevent this type of spamming which has only really become bad during the last few months. More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 20 March 2007 at 6:40pm
thank you for your answer Borg
Also for me is difficult that problema came from forum, but is what provider sayed....maybe they seen subject of my forum in this 10,000 email
One other ask ..... because of my bad english, i've not understand this
*****
More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people.
More likely though you have a contact us type form on your site and you are not sanitising the subject line which means that a remote hacker can make the email component send 1000's of Carbon Copies through the form to other people. ********* Could you explain me in others words please ? i'm italian and i don't understand...sorry
|
Posted By: WebWiz-Bruce
Date Posted: 20 March 2007 at 7:29pm
|
If you have a contact us enquiry form on your site it can be used by spammers to send spam, if left unchecked. How spammers are now doing it is if you use CDOSYS or some other components, spammer can change the subject so that it contains new line characters with email address, this can be used to trick CDOSYS in to sending 1000's of emails. For example a remote spammer could send the following subject to an email enquiry form:- my spam subject; email1@email.com; email2@email.com; email3@email.com; etc. etc. by sending this subject along with the enquiry area filled in with a spam email the CDOSYS component can be tricked into sending that form enquiry to 1000's of email address using the Blind Carbon Copy (BCC) method. Web Wiz Forums is quite protected against this type of spam as not only are the subjects of emails created by the software and not the user, the fields passed to the email component are filtered to prevent any malicious code from getting through. You may want to ask your web host to forward one of these emails to you with all the headers. If you send this to web wiz support we can have a look through it for you to tell you exactly how the spammer is using your site to send spam. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 20 March 2007 at 7:39pm
|
thanks again Borg.....effectively i use CDOSYS object for send email....
I'm using 7,91 version, so i have to think is not protected from this type of spam...right ?
I'm in contact with server provider developers....I'll ask if they could send me one of these email and after that i post here....
Until this, there are something fast code upgrade that i could insert to protect from this type of spam ??
|
Posted By: RAVALON
Date Posted: 20 March 2007 at 7:57pm
|
I'm thinking about your last answer....so....
if i have understand, you think is not forum but some other page in my site which could send email ??
I have one of this page inmy site, so i check for code....i can see my subject textbox have not control for max number of word so is possible insert 1000' email address, if you want......
i temporaneusly correct inserting MAXLENGTH="50" in textbox area ,...do you think it could correct problem until i upgrade to last version ? in this way nobody could insert more than 50 char...so no more email sent in block....no ?
|
Posted By: WebWiz-Bruce
Date Posted: 20 March 2007 at 8:41pm
|
That would not work as spammers post data directly to the file that sends the emails and by pass the form. You need to check in your own contact enquiry forms that you have checked any data sent to the file that processes the file ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: RAVALON
Date Posted: 20 March 2007 at 10:12pm
|
and how ?
I'm sure no file was updated on my space
maybe a mailserver problem simply and not a forum problem ??
Thank you for yours answers.....now i stop to disturb you
|