Extra protection for Access MDB
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=17763
Printed Date: 13 April 2026 at 6:23pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Extra protection for Access MDB
Posted By: JJLatWebWiz
Subject: Extra protection for Access MDB
Date Posted: 05 January 2006 at 4:41pm
|
I think I found a pretty good technique to protect the MDB file used in the Access version of WWF (or any web app using Access). Rename the file extension to something that the server doesn't know how to handle and the server sends a 404 error making it apparently hidden. Check out the rename instructions here: http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp%3fmode=forum - http://www.webwiz.net/web_wiz_forums/docs_access_move_db.asp?mode=forum
We've all read it, right
 ? It doesn't make any suggestions for a file name or mention a new extension. Some discussions on this forum have suggested changing the extension to something like ".asp" so the server will attempt to process the file as if it were a script. But a known file extension could cause recognizable data to be sent to the client. Also, the server will send the entire file using bandwidth and processing time. BUT, if you name the file something like ".wwf", the server doesn't know what to do with that extension and immediately sends a 404 File Not Found error message.I got the idea when I was trying to add kmz files to my site so users could download my Google Earth placemarks. When people would try download such a file, the server would send a 404. I had my host add the file extension and MIME type, so kmz works.
There may be some way around it, but many users have no ability to put a database in a folder above the web root, so an unaccounted for extension might be a simple bit of extra protection for the mdb. Of course the common.asp files have to be modified to match the new filename.
------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Replies:
Posted By: WebWiz-Bruce
Date Posted: 06 January 2006 at 11:58am
|
Good idea, but allot web servers will still send the file to the browser which will ask the user to download the file. What I have decided to do for the next version, just like in the new Web Wiz Guestbook v8, is that if the database is not moved or renamed every time you go to the admin menu, in the admin area, a rather annoying pop-up will appear with the following message:-
As well as this I'vce also changed the way the forums files are structered so now there is only 1 file that needs to be changed for the database configuration. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
SECURITY ALERT!!Posted By: JJLatWebWiz
Date Posted: 06 January 2006 at 6:14pm
|
I guess some servers will attempt to serve the request, but it seems to be a fairly common also that unknown extensions cause a 404, which should be very safe. I've confirmed the 404 error with unknown extensions with 3 different hosting companies that I use. It also worked (caused a 404 but the forum still runs) with no extension at all. I really like the idea of warning the admin of potential insecurities. Perhaps you will consider adding other security checks. For example, evaluate the read/write permissions on the forum folders, check if the default setup files (like msSQL_server_setup.asp) still exist, check for default or weak admin password.
------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: WebWiz-Bruce
Date Posted: 06 January 2006 at 6:30pm
|
At the moment it only gives a warning for the database, and error
handling for email porblems, database connection problems, and database
update errors. Checking the server permissions would be slightly harder, but checking for weak passwords is also a good idea. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: MadDog
Date Posted: 06 January 2006 at 9:03pm
|
Why dont you just by default not setup the connections file?
I can see how this would lead to a lot more forum posts, but on the other hand you wont get a bad rep from all the noobs not changing the database path and getting hacked. ------------- http://www.iportalx.net" rel="nofollow"> 
|
Posted By: dpyers
Date Posted: 07 January 2006 at 12:39am
|
A lot of webservers will default to delivering text if the mime type/extension is unknown to them. Using a script extension will cause the server to try to execute the file as a script - which will then error out - the entire file is not delivered to the browser, just the script error.
------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: JJLatWebWiz
Date Posted: 09 January 2006 at 6:53pm
|
dpyers - What kind of script extension are you talking about? When I changed my wwForum to .asp, I got the full file sent to me and I was easily able to pick out all the raw data from the stream. The data was mangled enough that Access would not open it when saved to my PC, but it's probably repairable. But even without repair, the data is intact. My test involved a smallish 900K test file, so maybe the server would timeout with a larger file. And maybe your test file circumstantially has code that causes the error. Perhaps you could test it with an empty wwForum as supplied with the WWF setup.
In any case, if either technique works, it's better than leaving the MDB in the default folder with the MDB extension. IMO, a 404 error is a better result since the hacker may assume that the file does not actually exist. Some other result may be less secure since it's possible that even a script error could be leaking data.
Does anyone know of file permissions that would allow file access only by ODBC via a script but not by the http server directly? Or is that too close to Nirvana? ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: dpyers
Date Posted: 10 January 2006 at 9:43pm
|
I just tried it with a .mdb renamed to .asp. First server I tried it on convinced be you were full of the stuff that makes the grass grow green as I cot an immediate script error. Unfortunately, I tried it on another server with a different .mdb file to .asp and it downloaded the file and opened it as text. S I figure maybe I am full of that stuff. Tonight I'll switched the files between the two servers and try again to see if it's caused by the file or by the server. -------------
Lead me not into temptation... I know the short cut, follow me. |
Posted By: WebWiz-Bruce
Date Posted: 11 January 2006 at 12:35pm
|
I think the security alert is probably the best method, particularly as it is really annoying as it keeps popping up all the time continually in the admin area till the database is moved. I also made it simpler to move with just 1 file needing to be updated and simple instructions to do it that you are taken to if you click 'OK' on the javascript alert. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: JJLatWebWiz
Date Posted: 11 January 2006 at 4:13pm
|
-boRg-, I agree that nagging the admin to choose a non-default location and file name is probably the best line of defense. I wouldn't advocate an extension rename in place of your solution. But (you knew it was coming), if a hacker discovers the path and file name, a method of preventing the database from being downloaded is a reasonable second line of defense.
dpyers, I'm looking forward to your results. If there's something contained in one of your MDBs that causes a scripting error, perhaps something similar could be added to all our MDBs so that when they're renamed to .asp, a hacker is foiled. If some servers will attempt to send an unknown extension and not give the 404 error as mine do, your script error may be a better universal solution. ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: WebWiz-Bruce
Date Posted: 11 January 2006 at 4:51pm
|
I still think the best line of defence is getting the users to place the folder in a database folder only accessible via FTP, this way the database can not be downloaded. Most web hosts now give a folder specifically for databases where the database can not be downloaded from, so hopefully the simple instructions, and annoying security alerts will encourage people to secure their database. Most of the people I find are getting hacked simply don't read the install instructions and therefore don't realise they should secure their database, by forcing it in peoples faces it alerts them to this fact and hopefully should mean the majority of people will start to secure their databases in a folder out side of their web root. Another idea I have, and have started to implement to a small degree in version 8, is to use error handling. The error handling within the forum could be setup to either just display an error has occurred, or a detailed error message, with the default error message disabled from the admin area the hacker wouldn't be able to get the details of the database location, thus giving an extra layer of protection. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: JJLatWebWiz
Date Posted: 11 January 2006 at 6:09pm
Absolutely! Without a doubt or equivocation, the single best line of defense.
BRAVO! I've been a little reluctant to point out that a hacker could force an ODBC error and thus cause the server to expose the path and filename of the MDB no matter where it is.
The combination of nagging admins to put their database in a secure location and preventing path exposure will definitely help make WWF less hackable.  ------------- p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users. |
Posted By: dpyers
Date Posted: 13 January 2006 at 1:35am
That's always the safest way. Update on testing mdb's with asp extensions on different servers" Seems to depend upon the db, not upon the server. Access version doesn't seem to enter into it. Got 2 Access 2003 db's and one downloads and the other executes as asp. If I get a chance this weekend, I'll go after them with a hex editor and see if there's anything resembling a mime type in there. -------------
Lead me not into temptation... I know the short cut, follow me. |