Attention IIS Users: Remember to block access to INI files
Posted: Mon Aug 22, 2011 11:23 am
This is an important notice to users of Xataface and Web Auction that are running on IIS. It is very important that you ensure that you have blocked access to your ini files (especially the conf.ini file) so that your database connection information is not exposed. Most Xataface development and testing is done on Apache so .htaccess files are used and included which block access to .ini files on this environment. However IIS doesn't support .htaccess files so you must ensure that you use IIS best practices for blocking access to these files.
Possible Solutions:
1. On IIS, you can add a Web.config file to your application directory which blocks access. Web Auction 0.3.10 and higher already include this file. If you are using an older version you can just create your own Web.config file and place it in your webauction directory. A sample Web.config file can be downloaded at http://weblite.ca/svn/dataface/core/tru ... Web.config
Note: This only works in IE 7 or higher.
2. See the IIS documentation for alternative methods of blocking access to files. One such document can be found at:
http://www.iis.net/ConfigReference/syst ... Extensions
It is a good idea to test to make sure that your conf.ini file is not exposed. You can do this by pointing your browser to http://yourdomain.com/path/to/your/app/conf.ini
You should get a Forbidden or access denied message if everything is set up correctly. If you can see the contents of your conf.ini file, this is not good. You need to block access to it.
Possible Solutions:
1. On IIS, you can add a Web.config file to your application directory which blocks access. Web Auction 0.3.10 and higher already include this file. If you are using an older version you can just create your own Web.config file and place it in your webauction directory. A sample Web.config file can be downloaded at http://weblite.ca/svn/dataface/core/tru ... Web.config
Note: This only works in IE 7 or higher.
2. See the IIS documentation for alternative methods of blocking access to files. One such document can be found at:
http://www.iis.net/ConfigReference/syst ... Extensions
It is a good idea to test to make sure that your conf.ini file is not exposed. You can do this by pointing your browser to http://yourdomain.com/path/to/your/app/conf.ini
You should get a Forbidden or access denied message if everything is set up correctly. If you can see the contents of your conf.ini file, this is not good. You need to block access to it.