Security Issue
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: Database Discussion
Forum Description: Discussion and chat on database related topics.
URL: https://forums.webwiz.net/forum_posts.asp?TID=3301
Printed Date: 29 March 2026 at 10:03am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Security Issue
Posted By: hkading
Subject: Security Issue
Date Posted: 05 June 2003 at 10:50pm
|
I have downloaded and successfully installed the SQL version of the discussion forum. After the set up I deleted the msSQL_server_set.asp file per the security recommendation. But, I am concerned that the SQL_server_connection.asp file is still online and has all the access information to the database in it. I have list permission turned off, but I have been told that even a novice hacker can view files and their contents on MS servers. Is this a legitimate security issue? If so, is there anything that can be done about it? Thanks. |
Replies:
Posted By: WebWiz-Bruce
Date Posted: 06 June 2003 at 3:01am
|
The file is needed for the forum to know what SQL server and database to use. The file is an ASP file, this means that if the file is requested it is parsed by the ASP.DLL and only any script output is ent to the browser. As there is no output from this file if someone calls the file in their browser they won't be able to see the contents of this file. The only way someone can view the contenets of this file is to hack your FTP account and download the file using FTP. So this is not a security problem. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: michael
Date Posted: 06 June 2003 at 9:18am
|
What you where referring to hk, was an old bug that got fixed. You used to be able to download a web with Frontpage as readonly and it gave you all the script content. Unless you are still using fp extensions version oldold on your server you should be fine. ------------- http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker |
Posted By: hkading
Date Posted: 07 June 2003 at 11:52am
|
Thank you for your responses. I still didn't feel comfortable just having the database information there and visible in the code, so, I added an include file which has encryption and decryption modules I wrote, and encrypted the database access variables. So, the information is still there, but a hacker will have to get access to the SQL connection asp, plus the include file (albeit that file name is included in the SQL connection asp), and then write some code to decipher the information. For those who may be interested (and I apologize if this is the wrong forum for this aspect of this topic) the modified code now looks like this: %><!--#include file="functions/functions_other.asp" --><% 'Enter the details of your SQL server below |
