Protential security Hole
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=8983
Printed Date: 07 April 2026 at 1:07pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Protential security Hole
Posted By: dj air
Subject: Protential security Hole
Date Posted: 16 January 2004 at 2:28pm
|
Hi guys, this isn't a major security hole thought it would be wise to say.. say you have a password 4 charecters long .. then if someone whats to get into your account and you dont have it in a folder outside the root folder ... ie they can download it.... they then can open the database.. look at the User_code and see what the last to letters are ... say your password was help. in the User_code it would have lp on the end. so if someone really wanted to get in they would only have to look in a dictionary and go through all them.. you can tell how long the password is by looking at the salt code .... also common words they would try .. the only thing i can suggest is take out the last 2 charecters from the usercode or use part of the encrypted password... i would like to say it would take time to hack in but if they wanted to they could.... i know its a bit far fetched but its a protential security hole |
Replies:
Posted By: dpyers
Date Posted: 16 January 2004 at 2:49pm
|
Change the extension of the access db from .mdb to .asp (and also the connection strings). The access engine will still open it and work with it, but when someone tries to download it, the web server will try to run it as an asp script and return an error. ------------- 
Lead me not into temptation... I know the short cut, follow me. |
Posted By: dj air
Date Posted: 16 January 2004 at 2:53pm
| i use it in a private directory ... but i thought i would say about it ... for those that don't use a private directory ... |
Posted By: Badaboem
Date Posted: 16 January 2004 at 3:01pm
| iis 6.0 should take car of this as well. Meta base does not allow files with mdb extension to be downloaded etc. You can allow or disallow extension types yourself. |
Posted By: MadDog
Date Posted: 16 January 2004 at 3:26pm
|
Read the documentation and you wont have any security problems. ------------- http://www.iportalx.net" rel="nofollow"> 
|
Posted By: michael
Date Posted: 16 January 2004 at 3:52pm
|
I am sure DJ Air knows the documentation and the forum fairly well, well enough that he is just pointing it out as a suggestion to remove the last two letters of the passoword from the user code. ------------- http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker |
Posted By: WebWiz-Bruce
Date Posted: 16 January 2004 at 6:16pm
|
This was fixed/changed quite a few versions ago. The way the user code is created was changed to containg the user name then appended to the end of it is a set of 10 random letters and numbers. If this is not the case in your forum, try updating to the latest version. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |