Announcement

**Guest** · 3 Aug 2001, 02:57 AM

What "security restrictions" are they requiring? It is windows, right? Windows 9x, me don't really give you any security and NT requires NTFS to have any chance of security. I don't think INI files are a good choice for passwords. An encrypted configuration file or encrypted binary data in the registry would be fine, too.

Do they want passwords secured? You could hash the sensitive data into hex "bytes" or perhaps encrypt it and store it in the registry.
When a user types in the name and password, that data's hash is compared with the hashed data saved in the INI file or registry or configuration file.

Personally, I think an INI file is BAD for this use.
[PROGRAM STUFF]
Username=Joe Johnson
Password=5FED7A03EF9FEB

**Peter Scheutz** · 3 Aug 2001, 03:01 AM

If you could save the values in the registry, maybe you could you use the RegSetKeySecurity call?

------------------
Best Regards
Peter Scheutz

**Wayne Diamond** · 3 Aug 2001, 03:05 AM

Im avoiding saving data in the registry in my apps from now on and am reverting back to .ini's, a lot of people log in to Windows without registry write access so unless your app knows how to handle that, you may have unexpected errors

------------------

**danny greenwood** · 3 Aug 2001, 03:16 AM

Yes, Ron, it is Windows NT using NTFS.

I agree it isn't the cleverest of solutions to put a database username and password
in an ini file however it does simplfy things drastically doing it this way!

I guess what i could do is write another application that encrypts the password, enter
that encrypted password into the ini file and then build the decrypter into my application.

Danny

------------------

**Gregery D Engle** · 3 Aug 2001, 03:32 AM

Danny,

Just use the sample CRC32 code which is posted in the source
code fourm. Change the Key's in your INI file to something else
other than:

UserName
Password

Try:

Config00
Config01

and then Leave UserName and Password blank in the ini file.

So you will have this:

[main]
UserName=
Password=
Config00=AABB
Config01=AADD

Hope that works.

------------------
-Greg

**Sven Blumenstein** · 3 Aug 2001, 03:50 AM

Originally posted by danny greenwood:
Yes, Ron, it is Windows NT using NTFS.

Why don't you use the NTFS Streams to hide the entire ini file?

------------------
E-Mail (home): mailto:[email protected][email protected]</A>
E-Mail (work): mailto:[email protected][email protected]</A>

**danny greenwood** · 3 Aug 2001, 05:47 AM

How do you do that Sven, never played with Streams before!

------------------

**Sven Blumenstein** · 3 Aug 2001, 05:55 AM

originally posted by danny greenwood:
how do you do that sven, never played with streams before!

http://www.powerbasic.com/support/pb...ead.php?t=3628

hide an ini with the real password & username "under" a ini with fake data

------------------
e-mail (home): mailto:[email protected][email protected]</a>
e-mail (work): mailto:[email protected][email protected]</a>

[this message has been edited by sven blumenstein (edited august 03, 2001).]

**Wayne Diamond** · 3 Aug 2001, 06:49 AM

Streams are virtually the same as normal files in the way they are read/written, for example:

Code:

OPEN "C:\myfile.txt" FOR OUTPUT AS #1
 PRINT #1, "Normal file"
CLOSE #1
OPEN "C:\myfile.txt:mystream" FOR OUTPUT AS #1
 PRINT #1, "Stream file"
CLOSE #1

but there's a few quirks... DIR$("c:\myfile.txt:mystream") will fail even if the stream file exists, as streams can't be "seen" as normal files. You typically can't see stream files without specialist utilities (source for one has been generously posted here by Florent Heyworth), but you can read/write to them as if they were normal files.
Streams are available on NTFS only, not FAT. NTFS support was added for Macintosh file support, where files have 'resource forks'.
Also, if drive C doesn't support streams, don't assume that the other drives don't support it - on one system here, streams are available only on drive D which is the only NTFS drive in that system

As an interesting sidenote, several webservers including earlier versions of IIS were vulnerable to a stream exploit. When you read the ":$DATA" stream of a file, you're effectively reading the main file contents, so c:\autoexec.bat:$DATA reads from c:\autoexec.bat
When going to a URL such as http://www.victim.com/default.asp::$DATA, the default.asp file could be downloaded rather than it being processed/executed as a CGI as you werent requesting a file of the ".asp" extension. This was fixed a long time ago in most webservers so it's not something you'll easily be able to exploit, but certainly an issue to be aware of!

Best regards,
Wayne

[This message has been edited by Wayne Diamond (edited August 03, 2001).]

**danny greenwood** · 3 Aug 2001, 07:37 AM

OK. I understand the priciple of Streams now - thank guys! BUT, how do i
open the stream file eg d:\afile.ini:stream1 using the operating system (NT).
You cannot just double click on it and i cannot open it from the run command
either! If i cannot open, it how can i edit it?! i must be mis-understanding
something fundamental here!

Powerbasic code can open them using the ads-test application.

Danny

------------------

**Scott Turchin** · 3 Aug 2001, 07:59 AM

What I normally do is use an internal key, a hexidecimal equivelant etc...
Encrypt the username and password and then change to hex value, virtually undecipherable by anybody except the app with the key.
I can give you the source if you like, take you 5 minutes to implement it.

[email protected]

Scott

------------------
Scott

**danny greenwood** · 3 Aug 2001, 08:04 AM

Scott,

I'd be interested in seeing the source code. If you dont want to post it here
could you mail it to me at: [email protected]

Thanks

Danny

------------------

**Wayne Diamond** · 3 Aug 2001, 09:24 AM

BUT, how do i open the stream file eg d:\afile.ini:stream1 using the operating system (NT).
You cannot just double click on it and i cannot open it from the run command
either! If i cannot open, it how can i edit it?!

Danny, you can't use programs such as Explorer or the command prompt to 'view' files as such, because streams aren't shown as files, because technically they're not, they're "resource/data forks", but thats the beauty of streams, it keeps data hidden from most users - a lot of people dont even know about streams.
Programs that check if a file exists before opening will typically not support streams. For example:

Code:

sFile$ = "c:\testfile.txt:mystream"
If Dir$(sFile$) = "" Then
   Msgbox "File doesnt exist"
Else
   Msgbox "File exists"
End If

That will ALWAYS say "File doesnt exist" even if c:\testfile.txt:mystream exists.
Notepad will let you view streams... from Windows, go Start | Run | notepad.exe c:\testfile.txt:mystream
Notepad will load and ask you if you want to create a new file - choose Yes. Type in "Thanks Wayne, what postal address can I send you a bottle of bourbon?", and Save that (Alt+F | S), and close down Notepad.
Now start Notepad again from Start | Run exactly as you did before, and wallah! - you'll be reading the stream file.

------------------

**Scott Turchin** · 3 Aug 2001, 09:40 AM

Hey this is cool!
Under Win2k however, I see a zero byte file, double click it, nothing, run notepad with the stream name and walah...

So how could one lock the file even if hte program is not running so that it cannot be deleted?

------------------
Scott

**Wayne Diamond** · 3 Aug 2001, 10:50 AM

Scott, if you create the stream "c:\file.txt:mystream", and c:\file.txt doesnt exist, c:\file.txt will be created as a 0-byte file -- the stream needs something to cling onto. If you delete that 0-byte file, you delete the stream also
Not sure what you mean about locking sorry?
Have a good weekend

------------------

**Michael Mattias** · 3 Aug 2001, 10:52 AM

walah...

It's "V-O-I-L-A" not "W-A-L-A-H"

Sheesh, and I thought I was the one with the disadvantaged ethnicity....

MCM
(ethnic Milwaukeean)

**Wayne Diamond** · 3 Aug 2001, 11:18 AM

Walah, voila, same dog different leg action ... what does ethnicity have to do with anything? Australia is a free multi-cultural society where you can make typographical errors and enjoy it - I was born in Perth and my parents were born in eastern Australia, but I could be a migrant for all you know! lets not bring race/religion etc onto this forum
Anyway, have a good weekend

------------------

**Scott Turchin** · 3 Aug 2001, 11:20 AM

Who's Viola?

------------------
Scott

**Wayne Diamond** · 3 Aug 2001, 11:38 AM

Lets not bring dyslexia or women into it either <grin>

------------------

Announcement

Securing an INI file

Securing an INI file

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment