The problem of the exposure of database address in ASP developments in old words! Due to the problem of finding Google Exposure

zhaozj2021-02-16  46

Keywords: Access, Database Download, IIS Security

http://blog.9cbs.net/qunluo/archive/2004/07/17/44092.aspx (Google Exposure Database Address Article Address)

This problem, I have been the security problem I know before, I don't know if my luck is good or horizontal. My procedure has always been guided, at least my database is just tested on my own online, in a certain In some cases, the Access's database is still downloadable, of course, this server administrator's level has a certain relationship. As for someone to write the name of the database as much as possible, I can't believe that you can think of how complicated. Of course, if your program has seen yourself, others have never seen it, it can still play a role. Of course, this time your database is in the directory where you can't open directory browsing permissions!

Later, I know that the database is an ASP suffix or the ASA can avoid similar problems. But this is still a role in touch with server-side configuration, and now I don't know if this is not really verified. unknown! But online search and see, the first one is said: "Database extension name is changed to ASP suffix"! Ah! Ah! Is it safe to do this? It can only be said that it is not necessarily, why, because this file does not contain <% or%> and other tags, IIS does not work for this file, the downloaded database and the original database are exactly the same! Still it is related to the server configuration!

So on the other hand, I also know that the OLE field information that contains "<%" symbol can be prevented from adding an OLE field information that contains "<%" symbol. Also I don't know if it is the security? But at least at least the database address is checked, it is indeed garbled display to download the database. I have verified this in my machine and on the server (on the virtual host space).

But there is still a question worth mentioning, download it with a FlashGet tool? Also I heard that the database name plus # such a symbol can prevent downloading, it is ok, is of course an anchor. When downloaded, you can only identify the ##, for the automatic removal of the back, the access address string is automatically thought to end. For example, you want to download: http://www.mysite.com/date/#123.mdb (assuming how to exist). Whether IE or flashget or ant, etc. is http://www.mysite.com/date/index.htm (index.asp ,default.jsp waiting for your page documentation in IIS)

In combination with the above symbol problem, some spaces in the database file name also play a similar role, because the HTTP protocol parses the particularity of the address, the space will be encoded as "%", such as http://www.mysite.com / Date / 123; 456.mdb, when downloaded http://www.mysite.com/date/123E6.mdb. And our directory does not have 123% 456.mdb file, so download is also invalid, even if you expose the database address, it is generally unable to download it!

Also, the security approach is to configure your database using DSN, place the database in a non-C: / INETPUB / WWWROOT / MyASP directory. Then use the DSN mode to connect in the database driver connection. Ah! The problem is unless it is your own server, otherwise. That company gives you such a configuration on their own server? (Why? If you have changed your Web program database content, you need to re-upload, and then you can do different configurations for you again. For example, change the location of the database, you have to give you another configuration of you. Database DSN! For many people who do personal websites. It is also a unpasperate practice, although it is safe. (And how much is the cost of sacrificing some database efficiency and performance, Microsoft, I remember Do not recommend this (using DSN connection) is right, some people (just contact computer and web development) will also think that the password to set the password to the database should be safe .conn.open "driver = {Microsoft Access Driver (* .mdb) }; uid = admin; pwd = database password; DBQ = database path "After modification, even if the database is downloaded, others can not open (provided that the password in your database connection is not leaked) but notes Yes, because the encryption mechanism of the Access database is relatively simple, even if the password is set, it is easy to decrypt. The database system forms a encrypted string by "distinguishing the user input password" different or ", and will Stored in the * .mdb file from the address "& H42" starting area. So a good programmer can easily make a dozens of small programs to easily get the password for any Access database. So, as long as the database is downloaded, Its information security is still an unknown. And now there is more software on the online software, no secret!

I'm thinking about it now, I can save it in Global.asa, very few people who have noticed! Flight use in the appropriate location! I didn't use this, and I also listened to friends on other online. I don't know if it is feasible! Combined with Adodb.Stream is used in the program, it can be done in the IE address bar to prevent the download, put this thing in a few days.

I also know that it is already very safe to do more than the above point, I am concerned! Of course, I don't mean that the hacking is the possibility of black servers. If it is like this, the server is the machine in the hands of people. Ah! ! It seems that our server network administrator's work is to a certain extent, or determine if our program has a market key, huh! !

*****************************

Note: The non-Access database is not within the scope of this article!

转载请注明原文地址:https://www.9cbs.com/read-15430.html

New Post(0)