WebApp Sec mailing list archives
RE: Limiting application's database size
From: "Thorpe, Jason (TAD)" <Jason.Thorpe () fta dot gov>
Date: Wed, 30 Jun 2004 10:06:06 -0400
Thanks for the help. Could limiting the number of IP commits in one session be accomplished through IIS? -----Original Message----- From: Mike.Wiltshire () sunlife com [mailto:Mike.Wiltshire () sunlife com] Sent: Monday, June 28, 2004 10:16 AM To: webappsec () securityfocus com Subject: Re: Limiting application's database size You can limit the database size in the database properties dialog if you've appropriate permissions.. http://www.winnetmag.com/Windows/Articles/ArticleID/23321/pg/2/2.html One extra point though, and that is as well as limit the datafile size, don't forget about the transaction max log file size - learned that the heard way meself! http://www.winnetmag.com/Files/23321/Figure_03.gif Are you sure you need to allow unauthenticated users to enter data into your database? Can you harvest the data, sanitise then remove to a different database after its loaded? Or maybe you can limit the amount a single IP commits in one session? Just some thoughts.. hope this helps, Mike "Thorpe, Jason (TAD)" To: webappsec () securityfocus com, security-basics () securityfocus com <Jason.Thorpe () fta dot gov> cc: (bcc: Mike Wiltshire/ServiceCentre/Ireland/SunLife) 28/06/2004 14:03 Subject: Limiting application's database size I have a database server that contains several applications. One of the applications allow users to enter information into the database without being authenticated. My concern is that a malicious script could quickly increase the size of the database and thus taking all free disk space on the server. Is there a way to limit the size of the database so that it will not affect the other applications? Or does anybody have any suggestions on a way to handle this situation. DB Server: MS SQL Server, IIS --------------------------------------------------------------------------- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. --------------------------------------------------------------------------- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. Si ce message vous a été transmis par erreur, veuillez en informer l'expéditeur et le supprimer immédiatement. --------------------------------------------------------------------------- --------------------------------------------------------------------------- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. ---------------------------------------------------------------------------
Current thread:
- Limiting application's database size Thorpe, Jason (TAD) (Jun 28)
- <Possible follow-ups>
- Re: Limiting application's database size Mike . Wiltshire (Jun 28)
- RE: Limiting application's database size Stan Guzik (Jun 28)
- RE: Limiting application's database size Andrew Shore (Jun 28)
- RE: Limiting application's database size Thorpe, Jason (TAD) (Jun 30)
- Re: Limiting application's database size PD9 Software (Jun 30)
- RE: Limiting application's database size Syed Mohamed A (Jun 30)