This project is read-only.

Security pb with SQL connection

Topics: Administration, Installing Orchard
Dec 7, 2012 at 2:14 PM

I just noticed that the SQL Server password is stored in clear text in the settings.txt file ????

When it is stored as a connection string in web.config, we have the opportunity to crypt it, not with this setting.txt solution.

This looks like a serious problem.


Dec 7, 2012 at 6:07 PM

If you care about have the password in a file, then even encrypted it's wrong. You should be using Integrated security instead of a username/password.

The file is in App_data which means only a user with access to the machine can load it. If this person has access to the machine, then he can also decrypt you web.config with one command line. As secured.


Dec 8, 2012 at 7:30 AM

Ok, thanks, this seems to be a correct deal. 
From what I googled, App_data is protected by a special file handler by .NET. Works well as long as .NET integrity is OK.
Pb with SQL Azure I am using is it doesn't understand integrated security...

Dec 8, 2012 at 11:09 PM

If .NET integrity is compromised, you're screwed anyways.