Attention IIS Users: Remember to block access to INI files

A place for users and developers of the Xataface to discuss and receive support.

Attention IIS Users: Remember to block access to INI files

Postby shannah » Mon Aug 22, 2011 11:23 am

This is an important notice to users of Xataface and Web Auction that are running on IIS. It is very important that you ensure that you have blocked access to your ini files (especially the conf.ini file) so that your database connection information is not exposed. Most Xataface development and testing is done on Apache so .htaccess files are used and included which block access to .ini files on this environment. However IIS doesn't support .htaccess files so you must ensure that you use IIS best practices for blocking access to these files.

Possible Solutions:

1. On IIS, you can add a Web.config file to your application directory which blocks access. Web Auction 0.3.10 and higher already include this file. If you are using an older version you can just create your own Web.config file and place it in your webauction directory. A sample Web.config file can be downloaded at http://weblite.ca/svn/dataface/core/tru ... Web.config

Note: This only works in IE 7 or higher.

2. See the IIS documentation for alternative methods of blocking access to files. One such document can be found at:
http://www.iis.net/ConfigReference/syst ... Extensions


It is a good idea to test to make sure that your conf.ini file is not exposed. You can do this by pointing your browser to http://yourdomain.com/path/to/your/app/conf.ini
You should get a Forbidden or access denied message if everything is set up correctly. If you can see the contents of your conf.ini file, this is not good. You need to block access to it.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Re: Attention IIS Users: Remember to block access to INI fi

Postby jazcam » Fri Dec 09, 2011 2:50 pm

Steve,
I have done this. Copied the sample file; named it Web.config, and placed it in the app directory. Both Chrome and IE8 will download the file. What's with that?
jazcam
 
Posts: 1
Joined: Fri Dec 09, 2011 11:09 am

Re: Attention IIS Users: Remember to block access to INI fi

Postby shannah » Fri Dec 09, 2011 4:00 pm

I am not an expert on IIS. If this isn't working, there is likely a setting in IIS that you have to set. My recommendation would be to not use IIS.
If you must use IIS perhaps look into ways to disallow IIS from serving certain files.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 94 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved