Security Best Practice: Securing file-based databases
File-based databases, such as MS Access, dBase, FoxPro, Paradox, etc. are sometimes used on a production web site. While not generally recommended for high-volume web sites, Adobe strongly recommends that customers take precautions to secure these database files if they choose to deploy an application using a file-based database.
While the easiest place to store a database file for databases of this type is within the file structure of your application in the web server directory, doing so can expose the data in these files to GREAT RISK. By placing a database file within the application directory or anywhere in the web server directory, it is exposed for download by anyone who has access to the web site. Although users may not be able to browse the web site directory, a determined user can guess file names in the directory and potentially download the entire database file.
For this reason, when you choose to deploy a database file you need to take extra care to make sure that the file(s) are in a directory that is NOT web accessible. Additionally, further securing the file at the operating system level is highly recommended. This can be accomplished using file permissions that allow read/write access only by the ColdFusion Server user account (the account the ColdFusion Server is setup to run under).
Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to secure@adobe.com. We will work to appropriately address and communicate the issue.
For additional information on security issues at Adobe, please visit: www.adobe.com/security.
This content requires Flash
To view this content, JavaScript must be enabled, and you need the latest version of the Adobe Flash Player.
Download the free Flash Player now!
