wrote:

>I have recently inherited a fairly large shared web hosting platform, which,
>amo other features, allows customers to place access databses in their web
>sites, and then read / write data to them via DNS / Dsn-Les connections.
>
>However, a security problem became apaprent to me:
>If an unscrupulous web browser could discern the name of the database in
>question, it could be downloaded over the internet as the user under which
>Internet access was enabled has to have read / write access to the database.

>To mitigate this problem, i have written an ISAPI plugin (triggered by
>::OnUrlMap) that checks for the extension, and if it's .mdb then check there
>is no referer (Typed direct into the browser causes this) then you are
>redirected to a 404 not found page.

"Martin c" <martin@nospam.com> wrote in message
news:ek6Yds7nDHA.1728@TK2MSFTNGP09.phx.gbl...
> Hi There.
>
> I have recently inherited a fairly large shared web hosting platform,
which,
> amo other features, allows customers to place access databses in their web
> sites, and then read / write data to them via DNS / Dsn-Les connections.
>
> However, a security problem became apaprent to me:
> If an unscrupulous web browser could discern the name of the database in
> question, it could be downloaded over the internet as the user under which
> Internet access was enabled has to have read / write access to the
database.
> To mitigate this problem, i have written an ISAPI plugin (triggered by
> ::OnUrlMap) that checks for the extension, and if it's .mdb then check
there
> is no referer (Typed direct into the browser causes this) then you are
> redirected to a 404 not found page.
>
> unfortunately, if the home page uses a dsn-less conenction, including a
bit
> of asp saying "Server.mappath("/Data/mydatabase.mdb") then tehre is no
> referer and the 404 page is displayed.
>
> My Question is this: Does anyone have any idea how to filter out these
> server.mappath requests n teh code. I cannot unfortunately tell >50 of
our
> customers to re-write their web sites. Well, i could, but i would rather
> not.
>
> Any tips / advice would be appreciated.
> Here is the code for the ISAPI dll. (Numbered to mitigate line wrap)
> --------------------------------------------------------------------------
> 1) DWORD CJSISAPIFilter::OnUrlMap(CHttpFilterContext*
> pCtxt,PHTTP_FILTER_URL_MAP pMapInfo)
> 2) {
> 3) DWORD dwReferer = 250;
> 4) DWORD lenURL = strlen(pMapInfo->pszURL);
> 5) const char * szURL = strlwr((char *)pMapInfo->pszURL);
> 6) const char * szExtension = &szURL[lenURL - 4];
> 7) const char * szRedirect = "Location:
> http://www.commercial.easynet.net/notfound.htm\r\n\r\n";
> 8) char szReferer[250];
> 9) if ( strcmp(szExtension, ".mdb") == 0 ) {
> 10) pCtxt->GetServerVariable("HTTP_REFERER", szReferer, &dwReferer);
> 11) if ( szReferer[0] != 'h' ) {
> 12) pCtxt->ServerSupportFunction ( SF_REQ_SEND_RESPONSE_HEADER, (LPVOID)
> "302 Redirect", (DWORD *) szRedirect, 0 );
> 13) return SF_STATUS_REQ_FINISHED;
> 14) }
> 15) }
> 16) return SF_STATUS_REQ_NEXT_NOTIFICATION;
> 17) }
>
> Thanks go to 15seconds.com from whom i plagurized / adapted this code.
>
> Any advicewould me massively appreciated.
>
> Regards
>
> M Christopher
>
>