D
DavidE
Hi,
I use the code below to encypt and decrypt connectionstrings in the
web.config files.
It works good but I don't understand somthing about the decryption. An
hacker that gain the web.config file with the encrypted data, can copy it to
a new web site that he created and use this line of code
section.SectionInformation.UnprotectSection() and so get the connectionstring
in plain text .I tried it. I copyed the web config to a new web site and then
used this line of code and I got the original connectionstring. !!!!
Am I right ? If I am, It is not a security solution.
public void EncryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
}
public void DecryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}
Thanks,
David
I use the code below to encypt and decrypt connectionstrings in the
web.config files.
It works good but I don't understand somthing about the decryption. An
hacker that gain the web.config file with the encrypted data, can copy it to
a new web site that he created and use this line of code
section.SectionInformation.UnprotectSection() and so get the connectionstring
in plain text .I tried it. I copyed the web config to a new web site and then
used this line of code and I got the original connectionstring. !!!!
Am I right ? If I am, It is not a security solution.
public void EncryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (!section.SectionInformation.IsProtected)
{
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
config.Save();
}
}
public void DecryptConnString()
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section.SectionInformation.IsProtected)
{
section.SectionInformation.UnprotectSection();
config.Save();
}
}
Thanks,
David