FileVista Database connection information is stored in cleartext
Problem reported by Cherie Watts - May 3 at 5:20 AM
Submitted
Hi
I noticed that the database connection information is stored in plain text in the FileVista.config file. This is security problem.
 
Can an update be made to encrypt the password? Ideally encrypt the username as well.
 
Thanks
Cherie

1 Reply

Reply to Thread
0
Cem Alacayir Replied
Employee Post
Hi,
We store it as plain text for easier manual configuration changes.
 
The connection string is stored in App_Data\FileVista.config file and App_Data is a special folder which ASP.NET secures out of the box, i.e. ASP.NET prevents downloading of files inside App_Data subfolder.
 
So only way to access it would be logging on your server (e.g. remote desktop) and opening it in Windows Explorer. So you should already be the administrator to be able to do that.
 
By the way, FileVista prevents navigating outside of a root folder (blocks dot dot notation ..\) so even if you have a root folder pointing to App_Data\SomeRootFolder you will not be able to go up to the parent.

Reply to Thread