By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,145 Members | 1,635 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,145 IT Pros & Developers. It's quick & easy.

Editable mde ...

P: n/a
In the message from 1999/09/09 in the newsgroup
microsoft.public.access.multiuser
the way of opening forms and reports in Design mode was described :
http://groups.google.com/groups?selm....microsoft.com

Since then the third version of MS Access (2003) has already appeared.
But the same way can be still used :-)
Is this hole left specially for competent people or does ms no time to
correct that?

The way how it works: run MS Access, open VBE (Tools-Macro-Visual
Basic Editor), open mde, then any form in it, go to the VBE window,
press the button Design mode, return to the Access window and ... we
see the form in
Design mode. Besides it is possible to move ammendments and save them
(except the code).

--
Serge Gavrilov
Nov 12 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
On 9 Feb 2004 12:29:17 -0800, sg****@mail.ru (Serge Gavrilov) wrote in
comp.databases.ms-access:
In the message from 1999/09/09 in the newsgroup
microsoft.public.access.multiuser
the way of opening forms and reports in Design mode was described :
http://groups.google.com/groups?selm....microsoft.com

Since then the third version of MS Access (2003) has already appeared.
But the same way can be still used :-)
Is this hole left specially for competent people or does ms no time to
correct that?


Having a bug survive three versions of Access is nothing to be
surprised at. Especially when it relates to security.

As to whether the hole is left intentionally, I am certain that it is
not (if, by your question, you mean that to suggest that Microsoft
indented for this hole to be available to developers from the
beginning - on the other hand, if you mean to ask whether Microsoft,
originally surprised by the existence of this bug, intentionally
failed to address it for multiple later versions of Access, then I
wouldn't be surprised if the answer were 'yes').

But as to whether this was originally built in intentionally, I am
sure that it is not. What the VBE toolbar button does is essentially
the same as typing:

docmd.openform "formX", acdesign

but this action is correctly blocked as being an invalid action for
MDEs. I think that the problem here is that Microsoft layered the
security on top of the existing design, and simply looked to prevent
the ui interactions they thought of as violating the notion of an mde,
rather than at a more fundamental, blocking the actual ability of
Access to respond to such actions for MDEs. So opening a form in
design mode from Access, or from VBE via the line above fails, but
doing so by a toolbar button succeeds. Clearly, the ability to
prevent design mode interaction with forms and reports in mde's was
not properly implemented.

Note that even if they *had* of correctly disabled the toolbar button
functionality too, it would still be possible to pull the entire forms
design sans code out but simply looping through the forms properties
and controls collections (and control's properties collections, etc),
reading the values out, and writing them to a new form or report
effectively rebuilding the entire form/report through code. That type
of flaw is impossible to prevent, because being able to read a
control's property values is essential for proper runtime
functionality, so can't be prevented for use in design-time
recreation. Put another way, this approach lets you read a form or
reports design structure without every opening it in design mode. Of
course its more cumbersome than the bug you outlined, which allows the
user to simply copy and paste the form or report's structure without
any need for code.
Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051
Nov 12 '05 #2

P: n/a
The main problem is not that the form can be copied. But it is in that
it can be changed and saved with these changes.
For example, it is possible to remove an Event Procedure.

--
Serge Gavrilov
http://accesstools.narod.ru
Nov 12 '05 #3

P: n/a

Serge,

On 12 Feb 2004 10:53:10 -0800, sg****@mail.ru (Serge Gavrilov) wrote
in comp.databases.ms-access:
The main problem is not that the form can be copied. But it is in that
it can be changed and saved with these changes.
For example, it is possible to remove an Event Procedure.


Sure. I didn't mean to imply otherwise. Its just that usually people
are concerned about preventing application theft from mde's. But
certainly, you can freely modify the visual design and interactivity
of any mde form or report with this flaw.

You mentioned being able to disable event procedures, but of course,
its worse than just that. You could insert new functionality for a
given event procedure (ie, instead of simply removing the event
procedure's hook, you could create your own macro, and make it run
instead of the original event procedure code, all unbeknownst to the
user or developer). You could also call code from your own secondary
mdb and execute it, so its not just macro-based functionality that can
be added/inserted. You could also insert your own wrapper around
existing functionality. So, for instance, an mde with a protected
username/password entry form could easily be modified to capture the
username/password combo, then call the original event procedure,
allowing the mde to appear to function normally, while in the
background signon info is being harvested and sent out.

Its a terrible flaw, and I didn't mean at all to imply it could be
exploited solely for application theft.

Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051
Nov 12 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.