Leaderboard


Popular Content

Showing most liked content since 12/22/2016 in Posts

  1. Security Vulnerabilities of FileMaker Platform API’s: An Update January 9th 2017 In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [http://fmforums.com/blogs/entry/1535-the-filemaker-platform-api’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if ExecuteSQL is included. The central thesis of that article was that these API’s provide unexpected attack vectors to compromise FileMaker Platform files. As noted at the time: Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions. Unfortunately, in the intervening nine-month time span, we continue to see cases where several of these API have been used for malicious purposes to compromise FileMaker Platform files’ business process integrity, to manipulate data, and to extract data. And many in the developer community remain unaware of this problem. In this BLOG entry, I will describe two of these API’s in greater specificity and detail, including describing a variety of attacks they can facilitate. This article will not discuss the ActiveX API that is available on Windows OS; however, developers should give similar attention to that approach. Developers need to be aware of these items in order to protect their files and those of their clients. The two API at the center of this focus are Apple Events and the FMPURL process. In the earlier article, I noted several elements about these that bear repeating here: [These API] cause particular concern because of their breadth and relative ease of use…. The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. [http://thefmkb.com/5671] The FMPURL…can open a file and run a script in it. If the file is already open, then the script will still run. [http://thefmkb.com/5560] A few general comments about both of these API’s: · They are not platform-specific in the sense that just because a client organization is an all Windows OS environment that it is immune from an Apple Event attack. It’s the OS of the attacker that controls whether the API can be used. · There are some ways within Privilege Sets to constrain behavior of these API commands when they are applied on a file. The Export privilege bit can control the ability of Apple Events to extract data from a file. The Layout Access privilege bits can also constrain the ability to see contents of a layout. Likewise, Script Access privilege bits can control the availability of a script to either of these API. · These API often perform actions in unexpected fashions that fall outside the normal, traditional, and familiar FileMaker Pro User Interface behavior. This is part of what catches developers by surprise. —Apple Events— When a file is open, whether standalone or hosted by FileMaker Server, an attacker can send Apple Event commands to it causing it to perform a variety of actions, including: · Run any script to which the user has access, irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. · Navigate to any Layout irrespective of whether that Layout’s name is in the list of Layouts or not. If the user’s Privilege Set has access to see that Layout, then its contents are visible whether the developer ever intended for the user to view the Layout or not. · Return various metadata about the file, including such items as Script Names, Value List Items, Layout Names, Field Names, etc. If a user’s Privilege Set does not allow access to the item, its name does not appear in the list returned. · Put data into any field in the database or extract data from any field, irrespective of whether that field is on the active Layout or is on any Layout for that matter. Here are several examples of these scripts, all working on a file named Our_Secret_Information.fmp12. tell application "FileMaker Pro Advanced" activate go to first layout end tell tell application "FileMaker Pro Advanced" activate do script FileMaker script "Relog_as_Admin" end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every layout end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every field end tell tell application "FileMaker Pro Advanced" activate set somevar to get data field "CreditCardNumber" end tell —FMPURL— The FMPURL command’s principal attack vector is that it can be used to run any Script in a file to which a user’s privileges has access. Similar to Apple Events, this occurs irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. If the file is closed, the command first opens the file with supplied credentials, then runs any OnFirstWindowOpen script, and then runs the designated script from the FMPURL command. As a result of this behavior, a Halt Script step at the end of the opening script has the effect of blocking the running of the FMPURL designated script. Some developers have utilized this technique to block FMPURL calls to scripts in a file. However, if the file is already opened or if there is no opening script, then the designated script does run. Here is an example of calling a script, again in our file Our_Secret_Information.fmp12 being hosted at a server at IP address 0.0.0.0. fmp://0.0.0.0/Our_Secret_Information.fmp12?script= Relog_as_Admin —What Is the Significance Of This and How Do We Address This?— One of the many reasons we caution developers against embedding security elements such as Identity and Access Management controls into the data layer of FileMaker Pro databases is precisely because such elements are vulnerable to these API attacks. Think for a minute about that Relog_as_Admin script that presumably relogs into the file with a [Full Access] Account. If an Attacker can trigger that script and cause it to run, irrespective of what the developer might have intended, then the Attacker has full access to the file. This has actually happened. Or, suppose that a developer has made a “Developer_Only” layout in the file, removed it from the list of layouts, and left sensitive information on it. If the Attacker can navigate to that layout, and if it is not protected by settings in the Privilege Set, then the Attacker can learn the contents of the information on it. This has actually happened in numerous instances, including unbelievably, the appearance of [Full Access] level credentials left exposed on the layout! Likewise, suppose that a developer has made a so-called “Privileges Table” with various fields that purport to control whether a user can do such things as create records. Using the Apple Event Set Data command, an Attacker could likely change the values in these fields if they do not enjoy additional protection. More likely even, the Attacker could simply issue a Make New Record command and create the record. That is a process frequently used to thwart developer-imposed limitations on the number of records in a demonstration version of a vertical market solution. So, what can be done to manage this situation and to prevent these type attacks? In FileMaker® Pro 15, FileMaker, Inc. added a new Extended Privilege option in the Privilege Set called fmscriptdisabled. Developers must explicitly invoke this option; it is not a default option. What it does is to prevent Apple Events (Macintosh OS) and ActiveX commands (Windows OS) from activating scripts, just as the name implies. It has no impact on FMPURL or on other Apple Event commands that do not involve triggering of scripts. Some of the other items in a Privilege Set, notably Export and data layer modification elements, can control Get Data and Set Data Apple Events. If Export is disabled, then Get Data will not return data from the selected field. In tables where the editing privileges are restricted, likewise, Set Data will not add data to a field. Creation and deletion privileges behave in similar fashion. Remember, we are talking here only about Apple Events. Other processes may behave differently. Controlling API behavior is important; however, it is not the only security feature that developers must invoke to assure Confidentiality, Availability, and Integrity of their database systems. So, clearly what we need here is a way to block these API from interacting with FileMaker Pro files. FileMaker, Inc. is aware of these issues and has been working on new ways to address them. In the Product Road Map Webinar presented on November 30th 2016, FileMaker, Inc. noted that the next version of the FileMaker Platform will contain a number of additional security enhancements. I am authorized to say that one of those enhancements will be a new process for more closely and granularly controlling several of these API’s. At such time as there is any new version of the FileMaker Platform, I will have additional comments and analyses of the issues related to these API’s.
    3 likes
  2. You can also use Export Field Contents and skip specifying the field. There are a few more ways as well, such as exporting 0 records using same path file name. All similar principle so it's which you like best. I like Export Field Contents; picked up from Comment, I suspect.
    2 likes
  3. Yet another option: sort the found records by the DeliveryRemaining field, ascending (or descending) and check the value of the last (or first) record.
    2 likes
  4. Good points, well-taken; but I can't shake the feeling that you're thinking like salesmen rather than like customers. Many people are "penny wise and pound foolish", whether we like it or not, and I used to make my living getting hired to cater to that and then guiding them to better decisions — but only if their decision to use FileMaker allowed me to get my foot in the door. It's nice if you can say, "Well, I really don't know if I want those people as clients" but I made a decent living off them, once, and now I'm not anymore. I agree FileMaker Cloud is a step in the right direction (taking your calculations at face value - I have a cold right now and can't really think through the figures myself at the moment.) Thinking back to when my clients were mostly small mom & pop businesses and nonprofits (and I was much busier as a consultant than I am today) I'm sure about half of them would have seen your reasoning. But for half of them, the appeal was that they could host FM on the old mac mini they had sitting in the corner and never have to think about it. The conceptual hurdle of dealing with AWS & EC2, for the non-computer-literate clients that it used to seem to me were FileMaker's bread and butter, is much more immense than it is to you and me. For the same reason that clients still insist on onsite visits even after TeamViewer and Skype have made physical presence 99.9% unnecessary, mom & pop operations also aren't going to cotton to offsite virtual servers with complicated administrative interfaces that they have to learn (when they can just barely figure out how to use word.) It makes them feel like they're now dependent on more things outside their control, and they don't like that. I can't imagine selling a virtual-server-based 5-seat-minimum system with monthly licensing to a lot of the people who I used to survive off of. They just wouldn't bite. Even if it was free they'd still think it was too complicated for them, it's too weird and abstract, and they'd be too worried about perpetual dependence on me keeping the server running. Whether it was true or not. The whole point was the FileMaker used to be for people who didn't want to have to become technically-adept computer geeks. AWS is precisely for technically-adept computer geeks, and it's a very beautiful thing for them, but that's who its for. The thing that sucks, to me, is, FileMaker doesn't necessarily have to be one or the other. There can be both a monthly cloud-based licensing model for teams AND a FileMaker-Go-for-desktop-type "thin client". Also, I know I've seen people cringe when I mention the software subscription model. I know it's worth it, and you know it's worth it, but Mr. McGintee whose little heath food store could improve its narrow margins running much more efficiently on on FMP only hears "I want you to keep paying forever and ever for something you used to only have to pay for once". Yes, I know the flaws in that reasoning. But that's what people hear. And I, for one, would really just rather be developing databases than trying to sell Mr. McGintee on whatever licensing model FMI has decided to adopt this year. Sucks dealing with human quirks, but until I can reliably score consulting gigs on planet Vulcan, these are the things we have to think about. If FM could find a way to increase their penetration in the enterprise realm, and I could get steady enough corporate gigs not to miss the small businesses who used to call me all the time, I'd have no complaint. And the funny thing is, I still get a fair number of calls for help from solitary users using one-person databases. It's that small business, the 3-5 person companies that used to be a rich vein for me, are where the demand seems to have completely been hollowed out. I hope to be pleasantly surprised, but I just don't see FileMaker Cloud bringing those kind of people back to the platform. And there used to be a lot of them. I've posted this elsewhere, but look at this Google Trends graph for search interest in FileMaker: Despite vast improvements in the program, interest (as expressed in google searches for information ) has dropped by 50% every 4 years. It's now declined to about 1/10th of its peak. That should scare the bejeezus out of anyone who makes their living this way, and I just don't think that decline was because of lack of a technically abstruse (to non-IT-professionals) monthly cloud-based licensing option. I firmly believe, based solely on my own experience then and now, that 10 years ago there was a huge, solid base of very small, funky business users that just aren't there anymore, and I would really like FMI to try to find a way to get them back. Not a way that sounds good to you or to me, but to THEM, something simple and uncomplicated yet still powerful under the hood (just like FileMaker used to be.) AWS support isn't that, regardless of price. And, again, it doesn't have to come at the expense of other options. They could offer thin clients on the bottom and all kinds of fancy licensing at the top, broaden their appeal on both ends. Oops, looks like I've ranted again. Apologies, I didn't mean to harangue you. But that graph above is what it all comes down to for me, and I find it very frustrating, because FMI's product marketing strategy seems to be alienating a formerly lucrative segment of their former user base, as if they must be sacrificed to attract a new segment - one which isn't proving itself at the same rate. It baffles me. I just think "FileMaker Go For Desktop" is a good step towards getting those lost customers back in the fold.
    2 likes
  5. Did you know that there are 53 weeks in a year and that a week can be 1 day long... Sat 30 Dec 2006 = Week 52 Sun 31 Dec 2006 = Week 53 Mon 1 Jan 2007 = Week 1 I know its right but there goes the week view on my calendar solution. :
    1 like
  6. Perhaps it's a path issue caused by a filename that's not acceptable?
    1 like
  7. 000112223333 is not a number (try using the Data Viewer - GetAsNumber ("000112223333") ) You would need that to be a text field to preserve the leading 0's
    1 like
  8. Hi guys, We are working feverishly to get this new framework completed and tested so that we can release as soon as possible. Again, we will announce their release on all of our media outlets so please be sure that you are subscribed to at least one of them so you know when they are released. Legacy Java 6 is both 32 and 64 bit. The current plugin will work in both 64 bit and 32-bit mode.
    1 like
  9. Alternatively you can use MBS Plugin and connect to access database regularly in a script to move all new records yourself. see http://www.monkeybreadsoftware.de/filemaker/
    1 like
  10. Hi no-no and welcome to the FM Forums, In addition to Wim’s suggestion, take a look at these sites. http://learningfilemaker.com https://www.lynda.com/FileMaker-Pro-training-tutorials/199-0.html https://www.filemakermagazine.com HTH Lee
    1 like
  11. Try = If ( Deposit ; Amount - Deposit )
    1 like
  12. As most people here probably know, the Let ( ) function can be used to define a Local variable. As such, it is possible to build a custom function that defines such a variable, and it is further possible to set said variable to a value including itself. An example would be the following custom function, ErrorList, consisting of the following calculation: Let ( $ErrorList = List ( $ErrorList ; Get ( LastError ) ) ; "" ) If a Set Variable script step sets the same variable as a custom function like the one above, e.g. Set Variable [ $ErrorList ; Value: ErrorList ] …the script step will run appropriately, so long as the contradictory variable—in this case, $ErrorList—is not yet defined. However, once this variable has been defined, executing the preceding script step will cause FileMaker 14 (and perhaps other versions) to suffer an Error #1213 and crash the application. The workaround for this behavior is to have the Set Variable script step set a dummy variable, e.g. Set Variable [ $x ; Value: ErrorList ] Even if $x is not referenced anywhere, having a script call the ErrorList function passes the variable $ErrorList to the script’s own context, thus allowing its value to be accessed by later steps in the same script (including subsequent calls to the ErrorList function itself). In FileMaker 15, this behavior has been changed: local variables defined within a custom function are now valid only within the scope of the function itself, including any recursions. While this alleviates the problem of application crashes, it also results in unexpected behavior when scripts written in earlier versions of FileMaker rely on custom functions to set local variables. When migrating to FileMaker 15, each affected script step must be updated to set the target variable explicitly instead of relying on the custom function to do the work. In other words, the code: Set Variable [ $ErrorList ; Value: ErrorList ] …which proved fatal in FileMaker 14, is now required grammar for FileMaker 15: FileMaker 15 believes that what happens in the function stays in the function, instead returning the result of the calculation to the variable defined in the Set Variable script step. The FileMaker 14 grammar, Set Variable [ $x ; Value: ErrorList ] …thus sets $x to the intended value of $ErrorList while leaving the value of $ErrorList as null. Unfortunately, this cannot work effectively in a mixed-installation environment: the FileMaker 14 grammar leaves FileMaker 15 clients with unintended null values; the FileMaker 15 grammar causes FileMaker 14 to crash. When upgrading all users to FileMaker 15 is not feasible, the best workaround is to use the FileMaker 14 grammar, then once all relevant script steps are complete, check the value of the intended variable (e.g. $ErrorList) and, if empty, set it to the value of the dummy variable (e.g. $x). ErrorTest.fmp12
    1 like
  13. I am afraid I don't fully understand what you're saying. To get the kind of display your screenshot shows, place the related CompanyName field on the layout, make it non-enterable, and use it to cover the local CompanyID (foreign key) field that has the value list attached to it. When they click on it, the underlying field will activate and they will get a drop-down (or pop-up) to select the name from. The alternative where they would actually select the name is much more complex: you would have to define another relationship to another occurrence of the Companies table, and use it to make the local CompanyID field lookup the corresponding value from there. Note that you can also select from portals or list views. -- P.S. Please update your profile to reflect your version and OS.
    1 like
  14. Anybody built a mobile solution with Kiosk mode for FMGO on a phone? What were your reasons for doing so? What challenges did you have to overcome to deploy a kiosk solution on mobile phone? What things can the user not do with Kiosk mode on the phone? TIA, Kris
    1 like
  15. I wonder if it wouldn't be easier to create a summary field (maybe called sDeliveryRemaining' which is 'Total of DeliveryRemaining. Then script could check this value as: If [ not sDeliveryRemaining ] ... then do 'the thing' you wish. Sorry for the glitch.
    1 like
  16. A couple of ways: - an easy - but unintuitive - FM way is to export an empty field to the same file name; FM will delete the target file - or use Send Event and use the OS CLI to delete the file - (if you are already using a plugin with file manipulation functions, then it can be done that way too)
    1 like
  17. The formula would be almost exactly what you wrote: Case ( BillableWeight ≤ 1 ; 8.99 ; BillableWeight ≤ 10 ; 8.99 + 0.5 * BillableWeight ; 9.99 + 0.4 * BillableWeight ) Note that your definition does not cover the case where the weight is exactly 1 pound. Here we are assuming it is included in the first instance.
    1 like
  18. Something to know - a global field's value is unique to each user's session - they don't run into each other even when using the same field. So you can use your global FILTER_DATE and FILTER_COMPETE fields for all users. The other thing to remember is that these global fields are reset to their original default values every time a user logs in. If the value of FILETR_DATE was "2016" when the database was originally hosted, then that will be the value when a user starts a session. Then you can use a script to reset that user's global to different values... Hope this helps
    1 like
  19. two new calc fields: isClacorp = PatternCount ( domain_name ; "clacorp.org" ) isSadccf = PatternCount ( domain_name ; "sadccf.org" ) two summary fields: isClacorpCount = Sum ( isClacorp) isSadccf = Sum ( isSadccf )
    1 like
  20. So this really has almost everything in common with a standard invoicing system. Customers, products, orders, order line items, prices. And as with invoicing systems, it is sometimes common for orders to consist of a standard group of products.
    1 like
  21. Make a backup first: do a replace on your field: Substitute ( your::field ; "-" ; "_" ) will replace existing data. in the auto entry field you can use: Substitute ( self ; "-" ; "_" )
    1 like
  22. This is only true for a certain type of windows. You can recognize these by the icon to the left of the window title. Filemaker windows are not of this type (I presume there are security reasons behind this decision).
    1 like
  23. No, the best solution is to have a Rate field in the Invoices table and have it auto-enter the current rate. Fixing the existing invoices shouldn't take more than a minute. Filemaker reads 1/1/17 as a division. If you want it to read a date, use Date ( 1 ; 1 ; 2017 ). Since you only deal with years, you could do simply: Case ( Year ( Invoice Date ) < 2017 ; .07 ; Year ( Invoice Date ) < 2018 ; .06875 ; .0625 )
    1 like
  24. The Open URL [] script step allows you to specify the URL as a calculation. Click the Specify… button and enter: "fmp://guest@192.168.1.2/" & YourTable::YourField as the formula.
    1 like
  25. There are a couple of bugs in FileMaker. e.g. saving PDF fails if the used fonts on Windows have file extension .TTF in capital letters. in lower case letters it works. Anyway, you can always use MBS Plugin with DynaPDF and the Optimize command to get a smaller and fixed PDF. see http://www.mbsplugins.eu/DynaPDFOptimize.shtml and http://www.mbs-plugins.com/archive/2016-12-07/Custom_function_to_optimize_PD/monkeybreadsoftware_blog_filemaker
    1 like
  26. Here's a very simple approach that uses AWS S3. Very cheap and very easy to implement and comes with an enormous feature-set on the backend to do things like retention policies through lifecycle settings. The example uses Windows but once you install the AWS CLI (http://docs.aws.amazon.com/cli/latest/userguide/installing.html) then the command is pretty much the same: http://www.soliantconsulting.com/blog/2016/06/backups-to-the-cloud-with-aws I use a variation of this to not upload everything but to sync to a folder in my S3 bucket and then instruct S3 to copy the sync'd folder to a date/time stamped new folder on S3. That way I still have my full sets (as many as I want) but with uploading just the files that were changed. Almost like progressive backups to the cloud...
    1 like
  27. Most likely the permissions on the files were changed so that the FMS account (fmserver of group fmsadmin) no longer owns them. Use the chown and chmod command lines to set it correctly. You can use the free BatchMod application if you don't like using Terminal.
    1 like
  28. FM Cloud in combination with a 5-user FLT will cost around $120 per month (depending on the type of virtual machine you choose). That includes the hosting (unlimited # of files), FMS and 5 licenses for any mix of FMP, FMGo and WebDirect. $120 per month... if that is not affordable for a small business then I don't know what is. And it removes the immediate need for a thin client since you get everything as one package deal. I get your point about rationality etc. But I would be looking for a minimum of rationality; I don't want to be in a position to have to defend the bills for my work the same way. That's going to be more than $120 per month.
    1 like
  29. To add to Ted S’s suggestion, see this post I found doing a Google search for "How do you reindex a field in FileMaker" HTH Lee
    1 like
  30. ​Yes, that is (yet another) quirk of the Xalan processor. You need to add the following attribute: xalan:indent-amount="2"to the <xsl:output> element and: xmlns:xalan="http://xml.apache.org/xalan"to the <xsl:stylesheet> element. Then change: exclude-result-prefixes='fmp'to: exclude-result-prefixes='fmp xalan'
    1 like
  31. Well if you have allow creation on you will get the blank row for entry. It is the intended behavior. See if you can make use of this post. http://fmforums.com/forum/topic/72211-revisit-adding-records-to-a-portal
    1 like