Re: .ASP security question

Fri, 05 Mar 2004 11:28:02 -0800

I just don't know... why don't you try doing that yourself? If you can query the datasource without a password, then you can definitely extract everything you need from the database.  Not necessarily the easiest workaround, but definitely doable.

- Matt Small
  ----- Original Message -----
  From: Ben Braver
  To: CF-Community
  Sent: Friday, March 05, 2004 1:25 PM
  Subject: Re: .ASP security question

  I know the conn string, it's in one of the ASP scripts:
  var oConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\\inetpub\\wwwroot\\Competency Model\\newTool\\db\\competencies.mdb;";
  %>

  Is it possible that OLEDB can query a password-protected Access
  database WITHOUT using a password?

  Thanks. /Ben

  > Forgot the closing parentheses:
  > response.write ("The conn string is: " + oConnString + " <br>">)
  >
   
  > ----- Original Message -----
   
  > From: Matthew Small
   
  > To: CF-Community
   
  > Sent: Friday, March 05, 2004 1:56 PM
   
  > Subject: Re: .ASP security question
  >
  >
   
  > You need to find out the value of oConnString. Try this in your app:
    ...
  >
   
  > var oPass = Request.Form("pWord");
  >
   
  > response.write ("The conn string is: " + oConnString + " <br>">
  >
   
  > //Open database connection
    ...
  >
  >
   
  > That will display your connection string in the browser.  Of course,
  > it will be available to everyone who views that page.
  >
   
  > - Matt Small
      
  > ----- Original Message -----
      
  > From: Ben Braver
      
  > To: CF-Community
      
  > Sent: Friday, March 05, 2004 12:45 PM
      
  > Subject: Re: .ASP security question
  >
      
  > Searched the code for "password" and found this:
  >
      
  > //Retrieve username and password from previous form
      
  > var oUser = Request.Form("uName");
      
  > var oPass = Request.Form("pWord");
  >
      
  > //Open database connection
      
  > var tblAuth = Server.CreateObject("ADODB.Recordset");
      
  > var strSQL = "Select * FROM Authentication";
      
  > oConn.Open(oConnString);
      
  > tblAuth.Open(strSQL, oConn);
  >
      
  > Just below this fragment, it tries to match uName and pWord
      
  > against the recordset, decides whether to grant or deny.
  >
      
  > But still puzzling me is how the ADODB recordset can be created
      
  > without having a password to the Access database ??
  >
      
  > -Ben
  >
      
  > >PS, given the ability to reference the system.mdw,
      
  > >it would seem that the OLE DB connection is using Access security.
      
  > >
      
  > >this is from the url I referenced:
      
  > >
      
  > >The final Connection String should look like this:
      
  > >Provider=Microsoft.Jet.OLEDB.4.0;Password=joe;User ID=jim;Data
      
  > >Source=C:\My.mdb;Persist Security Info=True;Jet OLEDB:System
      
  > >database=C:\Program Files\Common Files\System\SYSTEM.MDW;Jet
  > OLEDB:Database
      
  > >Password=14323
      
  > >
      
  > >
      
  > >-----Original Message-----
      
  > >From: bbraver <mailto:[EMAIL PROTECTED]>
      
  > >
      
  > >
      
  > >
      
  > >Outbound email scanned for viruses. (e232)
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]

Reply via email to