TechNote (Archived)

Security implications of remote database connectivity

Issue

When creating and testing dynamic database-driven web pages in Dreamweaver, using remote database connectivity can leave databases on the testing server exposed to outside attackers. A sophisticated attacker could send SQL commands to the server and gain control of the database server.

Reason

When you specify "Using Driver On Testing Server" or "Using DSN on Testing Server" in the database connections dialog box, Dreamweaver automatically uploads an MMHTTPDB script file to the testing server which lets Dreamweaver access the remote database driver via HTTP. This allows Dreamweaver to get the database information it needs in order to help the user create their site. However, this file does make it possible to see the data source names (DSNs) defined on the system. If the DSNs and databases are not password protected, the script also enables an attacker to issue SQL commands to the database.

The MMHTTPDB script files are located inside the _mmServerScripts folder, which in turn is located in the root of your website. Note that Dreamweaver's file browser (the Files panel) hides the _mmServerScripts folder. You can see the _mmServerScripts folder if you use a third-party FTP client or the file browser.

Note: In Dreamweaver UltraDev, the script files were located inside the _mmDBScripts folder.

Solution

Develop your application using a testing server

To prevent unauthorized access to your database, the MMHTTPDB scripts should not be placed on a production server accessible on the Internet. These scripts are only needed for design-time authoring within Dreamweaver, and therefore, should only be placed on a protected testing server. In some configurations these scripts are not necessary at all. The scripts are not involved when serving web pages to visitors to your website, so they should not be placed on a production server.

Note: It's always a good practice to protect a database by using a difficult-to-guess username and password.

To securely use Dreamweaver to access databases, here are two recommendations:

Use a local design-time database connection when creating and testing your dynamic web pages, as discussed in Understanding design-time and run-time connections in Dreamweaver (TechNote 16566). When you specify"Using Driver On This Machine" or "Using Local DSN" the database driver is located on the same machine as Dreamweaver, so no network communication is necessary to get to the database driver, and the MMHTTPDB scripts are not uploaded to the production server.
Use two servers: one for development and one for production. Use the development server for creating and testing your dynamic web pages. You can allow Dreamweaver to upload the MMHTTPDB scripts to the development server, assuming it's protected and HTTP is only accessible behind the corporate firewall. The MMHTTPDB scripts should not be uploaded to the production server.

Remove the scripts file if already uploaded to a production server

If you have inadvertently deployed the testing scripts to the production environment, you can minimize the risk of someone accessing your database by removing them. Since compromise is only possible while the scripts are actually present on the server, this will remove the risk of database access in the future.

If you have uploaded the MMHTTPDB scripts file to a production server, then you should delete the MMHTTPDB scripts file. Use the instructions below to have Dreamweaver automatically remove the script files for you. You can also browse to the files on the server with a third-party FTP client or file browser and manually delete the MMHTTPDB scripts.

Remove connection scripts

Dreamweaver MX 2004 & above (Windows and Macintosh)
From the main menu bar, choose Site > Advanced > Remove Connection Scripts.
Dreamweaver MX (Windows)
1. Open the Site panel (Window > Site).
2. From the Site panel's menu bar, choose Site > Remove Connection Scripts.
Dreamweaver MX (Macintosh)
From the main menu bar, choose Site > Remove Connection Scripts.
Dreamweaver UltraDev, version 4
From the menu bar, choose Site > Remove Connection Scripts.