Major Security Concern

Sep 20, 2012 at 11:36 PM

Please reconsider the implementation of the images stored in the database.  Exposing connection strings (even just by name), database names, table names, ID field names, and ID field values is a horrible idea.  It doesn't open up a direct attack vector but does expose way more to the public than is necessary.

An easy change would be to implement a configuration system that would have a key name that would be used in the URL along with the ID field value.  The key value would map back to the values needed to reference the image data (connection string, db, table, column name).  It would still expose the ID value but that value alone would be far less useful to a potential hacker.

This project looks like it isn't being updated but I hope this post serves as a warning to developers who might grab this tool and implement DB images without an understanding of what they are doing.

Sep 25, 2012 at 10:00 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Sep 25, 2012 at 10:10 PM

Thanks for your advice ChrisPorter. I will enhance the parameter list for db-images with a predefined key representing a list of fixed parameters as you mentioned. But for this the administrator needs to add information to web.config manually which is a not so easy hit and run solution as my parameter list.

So I think it depends on your safety needs which way to go.