Macromedia Dreamweaver remote database scripts
Description
Macromedia Dreamweaver automatically creates testing directories (_mmServerScripts or _mmDBScripts) containing database connectivity scripts during development. These directories include unauthenticated scripts such as mmhttpdb.php or mmhttpdb.asp that expose dangerous functionality including the ability to list available database connections and execute arbitrary SQL queries. When these development directories are inadvertently deployed to production environments, they create a critical security vulnerability by providing attackers with direct, unauthenticated access to backend databases.
Remediation
Immediately remove the <span class="bb-dark">_mmServerScripts</span> and <span class="bb-dark">_mmDBScripts</span> directories from all production web servers. Follow these steps to remediate:<br/><br/>1. Identify all instances of these directories on production systems using file system searches or web server directory listings<br/>2. Delete the directories and all contained files, particularly <span class="bb-dark">mmhttpdb.php</span> and <span class="bb-dark">mmhttpdb.asp</span><br/>3. Review deployment procedures to ensure development and testing artifacts are excluded from production releases<br/>4. Implement a deployment checklist or automated build process that explicitly excludes directories beginning with <span class="bb-dark">_mm</span><br/>5. Configure web server rules to deny access to these directories if they cannot be immediately removed<br/>6. Audit web server logs for any suspicious access to these scripts to determine if exploitation has occurred<br/><br/>For ongoing prevention, establish separate development and production environments, and use version control with explicit inclusion lists rather than deploying entire development directories to production servers.