PassMark Logo
Home » Forum

Announcement

Collapse
No announcement yet.

DataBase Protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DataBase Protection

    Hi, I have 2 concerns.

    I see on the enterprise version the agent bot can be customized which is great. But still on the search engine of zoom it displays zoom codes commands in the url.

    Like when someone makes a search it shows:
    The search.cgi can be renamed and it still works. But everyone can find out that the search is done with zoom looking at the url bar:
    zoom_sort=0&zoom_xml=0&zoom_query

    Then someone just needs to go the domain.com/cgi-bin/ folder typing the databases names directly so he can download them.

    Of of course if you type the databases name in in the browser cgi will display an error. But that doesnt prevent someone just downloading the full database file by file and replicating somewhere else.

    We take great concern about our database since it will costs our money to build it.

    A solution would be to hide the database somewhere else. Renaming the zoom commands or protecting it from download somehow and just let the seach cgi file executed but no a browser download them.

    So my question is:
    Is there a way to change the zoom commands in the seach script?

    If there a way to move or protect the database from public download? Rename, or move to another location but make search still find then to displays searches.


    Thanks

  • #2
    Originally posted by nibb View Post
    I see on the enterprise version the agent bot can be customized which is great. But still on the search engine of zoom it displays zoom codes commands in the url.

    Like when someone makes a search it shows:
    The search.cgi can be renamed and it still works. But everyone can find out that the search is done with zoom looking at the url bar:
    zoom_sort=0&zoom_xml=0&zoom_query
    First of all, this is necessary to avoid conflict of parameter names if the CGI is used within a dynamically generated page (e.g. php, asp, or another cgi) which has needs for other parameters. For example, the page which the CGI is called from may also have a parameter named "query" or "sort". The "zoom_" part is necessary to avoid conflict.

    Originally posted by nibb View Post
    Then someone just needs to go the domain.com/cgi-bin/ folder typing the databases names directly so he can download them.
    No, you can configure your server to not serve the ZDAT files so nobody would be able to download them. In fact, this is by default on many servers. Apache does not serve anything but CGI files within the "cgi-bin" folder. I think IIS 6 will also refuse to serve any file extensions that's not in its mime list.

    If your server settings are different, you can still configure what files to be served or not served. On Apache, a .htaccess file such as the following placed in the same folder will achieve this:

    Code:
    <FilesMatch "\.(zdat)$">
       Deny from all
    </FilesMatch>
    Consult the documentation for your web server for more information.
    --Ray
    Wrensoft Web Software
    Sydney, Australia
    Zoom Search Engine

    Comment


    • #3
      Your right, it doesnt server by default. I thought you still download it by right click and saving it to disk. But all it saves is the 500 error page and not the database. So I suppose to try with a download manager will get to the same result just downloading output apache, the 500 error.

      By the way to change the name of search.cgi doesnt seem to affect the script in anyway. It works exactly. the zoom commands could be easily replaced with something custom like z3933, or left to imagination. I dont think it will conflict if you just do a "Search and Replace" on the cgi file. Unless the cgi file depends on other files to work. If that was so then it would not work when renaming it. It seems the cgi file is standalone. I think I did modified once when I played with version 4 some years ago but I seemt the source code is now blocked.

      Comment


      • #4
        Originally posted by nibb View Post
        Your right, it doesnt server by default. I thought you still download it by right click and saving it to disk. But all it saves is the 500 error page and not the database. So I suppose to try with a download manager will get to the same result just downloading output apache, the 500 error.
        Yes, the server behaviour would not change for a download manager.

        Originally posted by nibb View Post
        By the way to change the name of search.cgi doesnt seem to affect the script in anyway. It works exactly. the zoom commands could be easily replaced with something custom like z3933, or left to imagination. I dont think it will conflict if you just do a "Search and Replace" on the cgi file. Unless the cgi file depends on other files to work. If that was so then it would not work when renaming it. It seems the cgi file is standalone. I think I did modified once when I played with version 4 some years ago but I seemt the source code is now blocked.
        I don't think you understand. Stand-alone scripts can be embedded and called from other scripts that are made by our users (e.g. someone who created a PHP driven website, could have a custom PHP page which embeds our search function within their script).

        The CGI has always been a C++ compiled executable. It is not a text "script" and cannot be modified by doing a search and replace. The source code is not "blocked", it is compiled out of necessity for it to run as a high performance application. You were most likely thinking of either the PHP or ASP scripts which you had previously messed with.
        --Ray
        Wrensoft Web Software
        Sydney, Australia
        Zoom Search Engine

        Comment

        Working...
        X