Maximized Software  Products   Download   Sales   Support   Search   Resellers 

FlashStats
 
New Version!
FlashStats 2006


Product Info
Home Page
What's New
Product FAQ
Reports
Platforms


Get It!
Demo
Download
Pricing Info
Buy It Now
Installation Service


Support
Tech Notes
Support FAQ
Troubleshooting
Online Wizard
Error Codes
Search Engine Definitions
Documentation
Support Form
Email

 

FlashStats

Support: Tech Notes

Tech note FS1344

Description
Security for the FlashStats configuration file.

Answer
FlashStats requires that the FlashStats configuration file be located in the same directory (folder) as the FlashStats binary executable file. These file names are as follows:

Platform Executable file name Configuration file name
Windows FlashStats.exe FlashStats.ini
Macintosh FlashStats.acgi FlashStats.ini
UNIX FlashStats.cgi FlashStats.conf

The primary concern is to prevent web surfers from being able to see the configuration file. Doing so would expose a security breach because it would allow them to see all of the FlashStats user account definitions, including their passwords.

For most Windows and UNIX systems this should not be a problem because the executable is located in a directory which holds only executables, and the configuration file cannot be viewed. You can try this by requesting the configuration file from your server with a URL such as this (modify as appropriate):

http://www.myserver.com/scripts/FlashStats.ini

You should get an error, usually error 403. If not, please check your server's configuration to ensure that files in the directory can only be executed, not requested. (This is often accomplished by making sure that the files have Execute permission but not Read permission.)

On Macintosh systems there is more of a concern. The preferred solution is to move both the FlashStats executable (FlashStats.acgi) and the FlashStats configuration file (FlashStats.ini) into a separate CGI folder somewhere other than under your normal HTML document root. Then specify that folder as your CGI folder, and configure your server so that it only executes CGI programs if they are located in the CGI folder.

You will have to edit the FlashStats Report Request Form (index.html) so that the <form action=> tag points to the correct URL on your system. You will also have to move any other CGI programs into this folder and change any pages referring to them as well.

If you don't want to move all of your executables into a special CGI folder, then you can use other tricks to prevent the configuration file from being returned successfully. One idea is to map the ".ini" file extension to another type. For instance, you can map it to Maxum NetForms, so if the user requests it they will simply get a message stating "Thanks for your form submission," and NetForms won't do anything with it.

Finally, please note that FlashStats 1.4 beta 6 and later contains the ability for the FlashStats configuration file to be located in the system Preferences folder (Macintosh systems only). Simply move the FlashStats.ini file into the Preferences folder. Any configuration file in the same folder as FlashStats.acgi will take precendence; if no such file exists then FlashStats will look for its configuration file in the Preferences folder.
HomeProductsDownloadsSalesSupportSearchContactPrivacy PolicySite Map

Questions? Contact info@maximized.com
Copyright © 1995-2010 Maximized Software. All rights reserved.