If you are a webmaster and you are using flat file database for storing any of your username or password or any confidential information. For Example: If you are running a forum that runs of flat file database probably you don’t have hosting support of MySQL or any other database. There are good things about flat file database but good things are also associated with vulnerabilities and open to threats sometimes. You must be worried if you are running flat file database. Crackers/Hackers are always hungry for flat file database.
How does it matter?
Flat file are always stored in plain text files.
Let me try to explain in simple words so that you can understand easily what am I trying to communicate.
For Example: I’m running a forum which is running on flat file database. Flat file database uses plain text files to store the username & password of all the members & administrator usernames in some format. There are no disadvantages which might affect the performance when I have hosted it on flat file database but besides performance there are many threats which might bring my forum down in a minute or more.
Consider that my usernamepassword.txt file has all the username and password of my forum members and administrator usernames. It is stored in /root/santhosh/forum/usernamepassword.txt. What if an attacker gets this path and get all the members list with their username and password. He/she can bring my whole forum down by getting the access of each member.
You might say “Finding the path is difficult, I agree” but attackers have a lot of patience to crack the password. They have a lot of techniques that you might not think of. Even Google is friend of an attacker. Google or any search engine might give them access to your database. I won’t reveal much information because there might be some readers who might misuse this article and do something that is not good. If you want more information on this you can e-mail me at santhosh@testersblog.com.
NOTE: Running your application on flat file database? No Worries there are preventive measures which can stop attacker from getting access to your flat file database. If you need tips on it then contact me so that I can help you in making your flat file database more secure.
August 11th, 2009 at 1:46 am
Hi,
I have a query regarding the threats in the use of flat file, besides being exposed on Google lets say that I have gained access to such file some how but what if the file it self is encrypted.
Thanks in advance!!!!!!
August 11th, 2009 at 2:21 am
@Prathamesh, The simple answer could be decrypt it. I was kidding. If you have access to the file which is encrypted then it also depends what encryption are you talking about? There are ways of decryption but you need to do some research work on the encryption so that you understand the pattern. Probably you might be talking about the passwords which are encrypted
. Passwords can be encrypted in different hashes, hexadecimal & etc. I hope my reply was in some way helpful to you. *Somethings are good not to be revealed if the intentions are bad*. My suggestion for you would be learn *Cryptography* if you want to know more about “Password hashes”.
August 12th, 2009 at 12:42 am
@ Santosh, Thanks for the reply, I will look whether I can decrypt it or not, If its a standard algo then i guess it should not be problem at least in guessing it, but if they have there own algo then I guess its highly vulnerable as it might happen that the algo is not time tested. *Revealing some thing in order to create awareness is not BAD, some thing like “agar jhoot bolne se kisi ka bhala ho raha ho toh jhoot bolna chahiye”*
August 12th, 2009 at 12:50 am
Can you let me know what are the Preventive measures that can be taken if some application is running a database on flat file…
Thanks in Advance !!!
August 13th, 2009 at 3:54 am
@Prathamesh,
>> *Revealing some thing in order to create awareness is not BAD, some thing like “agar jhoot bolne se kisi ka bhala ho raha ho toh jhoot bolna chahiye”* < <
Well, you are not only the reader of this article. This is a public article and you may or may not misuse but you can't be sure about others who might misuse this article.
>> Can you let me know what are the Preventive measures that can be taken if some application is running a database on flat file… <<
Most of the people use .htaccess and .htpasswd to prevent the protected folders. However this is not 100% secured measure however it would dwindle the threat.
Some people use their own algorithm as you mentioned so that it would be hard to crack. You can implement your own algorithm to make it hard to crack. You can create as many algorithms you want.