KInspector icon indicating copy to clipboard operation
KInspector copied to clipboard

Published 20 hours ago verified publisher icon Kentico

Check for read-only connection string for the reporting module

Open jokob opened this issue 8 years ago • 6 comments

A security check for read-only connection string for the reporting module

jokob avatar Apr 15 '16 06:04 jokob

Hi @jokob, interesting idea. How would you implement that?

ondrejsevcik avatar Apr 18 '16 06:04 ondrejsevcik

I'd Simply check if there is another connection string in the web config and if it's used for the reporting module. It would be too difficult to check the actual permissions, but this already gives us an idea if they've thought of setting it up in the first place.

jokob avatar Jun 01 '16 05:06 jokob

Just a note - we'd have to check both settings and reports as the connection string can be defined on both levels. Is it safe to assume that, when there is a second connection string in the web.config that is used by at least one report, security matters have been taken into consideration and the result should be "Good"?

petrsvihlik avatar Jun 01 '16 08:06 petrsvihlik

I think it would be a good pointer. But mostly, If there would be only one connection string it would automatically mean they didn't take care of this configuration...

jokob avatar Jun 01 '16 09:06 jokob

Do you suggest checking just for existence of another connection string?

petrsvihlik avatar Jun 01 '16 11:06 petrsvihlik

Yes, why not...if there is only one that means there definitely isn't a read only one for reporting

jokob avatar Jul 29 '16 07:07 jokob