How to prevent an Access database from being downloaded

Source: Internet
Author: User
Tags date object execution odbc net ole stack trace least privilege

Yesterday and animator test a bit, the Data.mdb file renamed data.asp file in the Wwwroot directory. Then in IE input data.asp path, found that IE shows a blank, right key-> view source file, out of Notepad, the content saved as an. mdb file, opened with access, found that a password was required, that is, at least the file header was corrupted.

Then use the FlashGet test to download the data.asp file, and save as a Data.mdb file, found to open with access is intact! It seems that a good number of programmers in the development of the time to think that the MDB suffix to the ASP can be downloaded to prevent the concept of the wrong! Background database download for a asp+access site is undoubtedly a tragic disaster. Today to find the articles, summed up there are the following 9 ways to prevent the database is downloaded (Welcome to add).

1. Play your imagination modify the database file name

Needless to say, this is the most lazy way, but if the attacker through a third-party access to the database path, the game is over. For example, the attacker would have only access to the list right, the result of unexpectedly see the database path, can be sounding the database to download back to study. In addition, the data files are usually large in size, and the hidden file names can not deceive people. So confidentiality is the lowest.

2. Database name suffix to ASA, ASP, etc.

This method should be in conjunction with some settings, or else it will appear at the beginning of this article.

(1) Binary fields are added.

(2) In this file, IIS will be parsed according to ASP syntax, and then will report 500 errors, nature can not download. But if it's simply a matter of adding <% to the text or Memo field in the database, because access handles the content, it will be <% in the database, invalid! The correct approach is to save the <% into the OLE Object field so that our purpose is achieved.

Action method:

First of all, use Notepad to create a new content for <% text file, a name to archive.

Next, open your database file with access, create a new table, name it, add an OLE object's field to the table, add a record, insert the previously created text file, and, if it is correct, you should be able to see a newer record named "Packet". Can.

3. Database name before adding "#"

Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is that the download can only recognize the number of the first name of the part, for the back of the automatic removal, such as you want to download: http://www.pcdigest.com/date/#123. mdb (if present). Whether it is IE or flashget and so on are http://www.test.com/date/index.htm (index.asp, default.jsp, etc. you set up in the IIS homepage document).

In addition, in the database file name to retain a number of spaces also play a similar role, due to the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as Http://www.test.com/date/123;456.mdb, download the time http:// Www.test.com/date/123%456.mdb. And our directory is not 123%456.mdb this file, so the download is invalid such modifications, even if you expose the database address, under normal circumstances, others are also unable to download!

4. Encrypt the database

First in the selection tool-> security-> encryption/decryption database, select the database (such as: Employer.mdb), and then determine, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb. Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.

Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> Set Database Password" in the menu, and then enter your password. So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.

To modify the database Connection page after encryption, such as:

Conn.Open "driver={Microsoft Access DRIVER&NB SP;
(*.mdb)}; uid=admin;pwd= database password; dbq= database path "

After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).
 
However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its information security is still unknown.

5. The database is placed outside the Web directory or the database connection file is placed under another virtual directory

If your web directory is e:\webroot, you can put the database into the E:\data folder, in the E:\webroot database Connection page to modify the database connection address is: ". /data/database name ", so that the database can be called normally, but cannot be downloaded because it is not in the Web directory! This method is generally not suitable for users who buy virtual space.

6. Using an ODBC data source

In the ASP and other program design, if there are conditions, should try to use ODBC data source, do not write the database name in the program, otherwise, the database name with the ASP source code with the Official secrets of the Official secrets, such as:

DBPath = Server.MapPath (".. /123/abc/asfadf.mdb ")
Conn.Open "driver={Microsoft Access driver&nb sp; (*.mdb)};d bq=" & DBPath

Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down. If you use an ODBC data source, there will not be such a problem: Conn.Open "odbc-dsn name", but this is more annoying, the directory to move and then reset the data source, more convenient way to see the 7th, 8 law!

7. Add a database name, such as an MDB extension map

This method is implemented by modifying the IIS settings, and is suitable for friends with IIS control and is not suitable for buying virtual host users (unless the administrator has already set them up). I think this method is the best at present. As long as you modify one place, the entire site's database can be prevented from being downloaded. There is no need to modify the code, even exposing the destination address can prevent downloads.

We add the application resolution of the. mdb file in the IIS properties---home directory---configuration---mapping---application extensions. Note that the selection of the DLL (or EXE, etc.) does not seem to be arbitrary, the choice of improper, this MDB file can still be downloaded, note that it is best not to choose Asp.dll. You can test yourself, and then download the database, and it will appear (404 or 500 Errors).

8. Advantages of using. Net

The wooden bird on the net has written a "Wbal anti-theft chain tool" to prevent illegal downloading of files.

But that only implemented to prevent non-local downloads, did not play a real download database functionality. But this method has been similar to the 5 law can be modified. NET files, to achieve local also can not download!

These methods, only the 7th and 8 are unified change, once modified configuration, the entire site of the database can be prevented from downloading, the other several to modify the database name and connection files, more trouble, but for the virtual host of friends can only be so!

In fact, the 6th method should be the 5th extension of the method, you can achieve special functions, However, for those who do not support the. NET host or fear of setting up trouble, or directly using the 5th method, and by default, the 6th method, can still be connected to the host by copying the forum or message this publication, and then you can click to download. (because such a reference page is from the same host)

9. File permission settings using NTFS partitions (bypercyboy)

We already know that ASP. NET, Access databases are accessed through OLE DB connections-one of the low-end databases we use very often. This article discusses some of the error prompts you may see in ASP.net, where you see the database files created by Access2000 and Accessxp, and a less common error message occurs when an error occurs. Hope to help you. Another important point is that, hopefully, this article will give you a new understanding of NTFS permissions settings for Access database files in asp.net.

(i) the experimental process

For the sake of narration convenience, give a concrete example to do an experiment: The application is/test, the database is stored in D:\wwwroot\test\data\ Db1.mdb, we already know that the database is accessed in asp.net as a virtual user of the ASPNET, and we need to give this account a specific NTFS permission to make the ASP.net program work.

To get the most restrictive NTFS permission settings, we gave the program the lowest NTFS permissions at the beginning of the experiment:

A D:\wwwroot\test\data\ the folder to the user ASPNET with the following permissions:

Allow Deny
Full control of &n BSP; --
Modify &nbs p; &nbs p;--
Read and run √-;
Lists folder directories; √-
Read &nbs p; &nbs p;√-
Write &nbs p; &nbs p;--

b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:

√ Allows inheritable permissions from the parent to propagate to the object

1.1 For an ASPX program that contains only the "SELECT" command, the above permission setting has no barrier to running: The above permission has already satisfied the operation of such a program.

1.2 aspx programs that contain commands such as "Update" INSERT "Update".

(a) If Db1.mdb is a database created by Access2000, the following error occurs:

A server error in the "/test" application.

Microsoftjet Database engine cannot open file ' D:\wwwroot\test\data\ '. It has been opened exclusively by another user or does not have permission to view the data.

Note: An unhandled exception occurred during the execution of the current Web request. Check the stack trace for more information about the error and where the error occurred in the code.

Exception Details: System.Data.OleDb.OleDbException:MicrosoftJet Database engine cannot open file ' D:\wwwroot\test\data\ '. It has been opened exclusively by another user or does not have permission to view the data.

(b) If Db1.mdb is a database created by ACCESSXP, the following error occurs: A server error in the "/test" application.

The operation must use an updatable query.

Note: An unhandled exception occurred during the execution of the current Web request. Check the stack trace for more information about the error and where the error occurred in the code.

Exception Details: System.Data.OleDb.OleDbException: The operation must use an updatable query.

(c) Preliminary analysis: Because there are commands such as "Update" INSERT "Update" that require writing to the database file itself, the above permissions do not meet this requirement, and we need to further release the permissions.

We let go of some authority,

A) The D:\wwwroot\test\data\ folder is unchanged;

b) D:\wwwroot\test\data\db1.mdb the file itself to the user ASPNET with the following permissions;

Allow Deny
Full control of &n BSP; --
Modify &nbs p; &nbs p;--
Read and run √-;
Lists folder directories; √-
Read &nbs p; &nbs p;√-
Write &nbs p; &nbs p;√-

1.3 To continue the experiment after releasing permission

(a) If Db1.mdb is a database created by Access2000, the following error occurs: A server error in the "/test" application.

Cannot lock file.

Note: An unhandled exception occurred during the execution of the current Web request. Check the stack trace for more information about the error and where the error occurred in the code.

Exception Details: System.Data.OleDb.OleDbException: Cannot lock file.

(b) If Db1.mdb is a database created by Accessxp, no error occurs.

(c) Preliminary analysis: We find that when an Access database is opened, a *.ldb file with the same name is generated in the same directory as the lock tag for access. In view of this, we suspect that when the user ASPNET accesses an Access database, it is also necessary to generate a lock tag, which does not allow it to be written, and therefore has an error. As for the database created by Accessxp Why there is no such error, the reason is still unknown.

We further liberalized our authority,

A D:\wwwroot\test\data\ folder to the user ASPNET with the following permissions:

Allow Deny
Full control of &n BSP; --
Modify &nbs p; &nbs p;--
Read and run √-;
Lists folder directories; √-
Read &nbs p; &nbs p;√-
Write &nbs p; &nbs p;√-

b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:

√ Allows inheritable permissions from the parent to propagate to the object

1.4 Continue the experiment, found that the error has been resolved, then the above permission is we need to release the "least privilege".

(a) If Db1.mdb is a database created by Access2000, we will find a small problem: the generated *.ldb file will not be deleted by itself, the file still exists after the visit, but this problem does not affect the normal operation of ASP.net.

(b) If Db1.mdb is a database created by accessxp, there is no such problem.

(c) Preliminary analysis: We just gave the ASPNET the right to write to the folder, without the permissions to modify it, so once the file is written, it cannot modify its contents, and the *.LDB is deleted.

If you do not want to solve this problem, further release permissions are:

A D:\wwwroot\test\data\ folder to the user ASPNET with the following permissions:

Allow Deny
Full control of &n BSP; --
Modify &nbs p; &nbs p;√-
Read and run √-;
Lists folder directories; √-
Read &nbs p; &nbs p;√-
Write &nbs p; &nbs p;√-

b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:

√ Allows inheritable permissions from the parent to propagate to the object

1.5 with it, experiment with another scenario: We turn Db1.mdb in Access, and access asp.net.

(a) If Db1.mdb is a database created by Access2000, we find that there are no problems.

(b) If Db1.mdb is a database created by ACCESSXP, the following error occurred: &NB.

(t003)



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.