MPSB 04-05 Potential Risk in Dreamweaver Remote Database Connectivity

April 5, 2004

[From Macromedia, Inc.]

Dreamweaver's remote database connectivity for testing dynamic database-driven websites installs scripts that may reveal DSNs to outside attackers. A sophisticated attacker may also be able to use these scripts to send SQL commands to the server and gain control of the database server.

Customers should not define a database connection using the driver on a testing server accessible to the public. To prevent unauthorized access to the database, password-protect the database. If a database connection has been defined, use Dreamweaver's Remove Connection Scripts menu command to remove the files that expose the database. This issue is described in greater detail in Security implications of remote database connectivity (TechNote 19214).

The article continues at http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html