PearlGI
Registered User.
- Local time
- Today, 02:53
- Joined
- Aug 30, 2001
- Messages
- 125
I thought I had the security issue sorted!
This is what I've got.
Backend - located in hidden directory, database password protected, shift disabled, shortcut keys disabled.
Frontend - distributed as MDE, shift disabled, shortcut keys disabled, database window hidden etc.
To prevent unauthorised users accessing the FE the first thing it does is to validate the userID (using network name API). If invalid the FE automatically closes.
Now you may think that this is secure, but someone has found a loop-hole (wasn't malicious, I challenged them!)
They simply created a new db and ran the import wizard (yes, import not link) and imported all my tables from the FE. But this didn't import the tables, it created links straight through to the BE, completed by-passing all security. Once there, they could add their userID to the table of valid userIDs and enter the FE legitimately.
Can anyone see a way of preventing this? (Without using user groups or restricting network access)
This is what I've got.
Backend - located in hidden directory, database password protected, shift disabled, shortcut keys disabled.
Frontend - distributed as MDE, shift disabled, shortcut keys disabled, database window hidden etc.
To prevent unauthorised users accessing the FE the first thing it does is to validate the userID (using network name API). If invalid the FE automatically closes.
Now you may think that this is secure, but someone has found a loop-hole (wasn't malicious, I challenged them!)
They simply created a new db and ran the import wizard (yes, import not link) and imported all my tables from the FE. But this didn't import the tables, it created links straight through to the BE, completed by-passing all security. Once there, they could add their userID to the table of valid userIDs and enter the FE legitimately.
Can anyone see a way of preventing this? (Without using user groups or restricting network access)