|
INFO:
SalesCart / FrontPage /fpdb folder security
The information in this article applies
to this particular SalesCart Product(s):
STD, PRO, PLUG-IN
SYMPTOMS
If I visit http://www.mywebsite.com/fpdb/shop.mdb,
I am able to download the order database.
Is this a security issue in SalesCart? No.
All SalesCart users should make themselves aware of the security issues of
FrontPage databases. With SalesCart on FrontPage, the Security for the
Shopping Cart Database lies 100% in the control of and responsibility of the
Merchant. These settings are completely within the control of the FrontPage
user with FrontPage connected to their Live Web site. |
CAUSE
This is a security issue caused from incorrect security settings on
the Microsoft Internet Information Web Server where SalesCart is running.
If this is occurring on your Web site, then you have mismanaged your security
obligations or your ISP or service provider has during the deployment of your
FrontPage Web site.
RESOLUTION
| The installation and deployment of the
SalesCart shop.mdb database is discussed in the SalesCart manuals but
specifically in the Getting Started section of the manual specifically on
page 35 of the SalesCart 2.0 manual and page 72 of the SalesCart PRO manual.
The SalesCart 2.0 manual is reproduced here:
Changing
Permissions
To change the permissions of a folder, right-click
on the folder and select Properties. The properties dialog box will appear
for the folder selected. |
 |
-
For the cgi-bin and mall folders only, make sure
that all three boxes are checked. If only two boxes appear, then your ISP
has not given you the ability to download executable's and you must
contact your ISP for more permissions.
-
For the fpdb folder only, check only the Allow
programs to be run and Allow scripts to be run boxes. Leave the Allow
files to be browsed box unchecked to prevent unauthorized access to your
orders.
-
After applying the appropriate changes, click
OK
|
 Note:
If you check the "Allow files to be browsed" box for the /fpdb,
the security of your orders can be compromised. Double check to make sure
it is unchecked before continuing.
|
| |
| How Do I test to see if this
is occurring on my Web site?
Simply point your browser to your website shop.mdb at
http://www.domain.com/fpdb/shop. If you
get this message:
HTTP Error 403
403.2 Forbidden: Read Access Forbidden
This error can be caused if there is no default
page available and directory browsing has not been enabled for the
directory, or if you are trying to display an HTML page that resides in a
directory marked for Execute or Script permissions only.
Please contact the Web server's administrator if
the problem persists.
If you get this message, then the security settings are correct. If you
don't, then your browser will download the database. Unless you have
protected it with a password which is an additional secondary security
setting supported by SalesCart, the database can be downloaded, opened, and
compromised.
How Do I keep this from happening?
First, read the SalesCart manual! Specifically, the
Getting Started section of the manual where the procedures to secure
this FrontPage database is thoroughly discussed as a part of installing,
deploying and running
SalesCart.
As an alternative to the FrontPage methods for securing this database,
you may also do this directly from the Microsoft IIS Management Console.
Simply, click on the properties for the /fpdb folder and ensure the security
settings are as follows: |
| |
NOTE: Read is Unchecked for the Virtual Server Access
Permissions. |
SUMMARY
Incorrect Microsoft FrontPage or Microsoft IIS settings in /fpdb folder can allow a malicious download of the shopping cart database
STATUS
This is a none issue with Microsoft FrontPage databases on Microsoft IIS.
REFERENCE
none
Additional Query
Words: security, fpdb security, securing folders, folder security, database secure, mdb security
Active/inactive: Active
Author: WS
Date: 04/30/03
|
Article #
