Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×
  • entries
    45
  • comments
    63
  • views
    108,477

Protect Your FileMaker Server and Files From A Vulnerability


I have recently learned that there may be any number of FileMaker Server installations world-wide that are hosting files that open automatically without credentials challenge to the [Full Access] Privilege Set. The default-installed FileMaker Server Sample File is one of these; however, there are others.

This is not such a good practice. Such files offer an attractive attack vector that a Threat Agent can use to inflict damage on the FileMaker Server machine or on its hosted files. If a Threat Agent can locate the server and access it, an attack can occur using these files.

Most attacks occur when a Threat Agent utilizes some vulnerability to mount an exploit that has some negative impact on the Confidentiality, Integrity, or Availability (CIA) of a digital asset such as a FileMaker Pro database. To that we must now add that the exploit can adversely impact the Resilience of the database system as well. We measure that negative impact of an attack along a continuum ranging from Limited to Serious to Severe to Catastrophic. In managing security in FileMaker database systems, we work to block Threat Agents, to close vulnerabilities, and to mitigate the negative impact of an attack.

I would therefore strongly recommend the following actions:

  1. If you do not need the FileMaker Server Sample File, then remove it from your server. If you do need it, give it credentials or have it open to a restricted privilege level.
  2. If you have other files that open without challenge to [Full Access] privileges, then change that process to require credentials or, at the least, to open to a restricted level of privileges.
  3. Periodically review the FileMaker Server Access Log to see if it contains evidence of unusual or unexpected access to the server. Of course, for that to work, you must enable this log in the FileMaker Server Admin Console.

It is my view that in the FileMaker community we have a responsibility to one another to help each other maintain safe systems, to avoid and to prevent attacks, and to block Threat Agents. I will continue to advise the community of security-related items from time to time.

Steven H. Blackwell

4 Comments


Recommended Comments

Ocean West

Posted

Thank you for this timely reminder -

 

I can see this being much easier for the un-intentioned developer to open themselves up for vulnerability now that UPLOAD to server is right there in the toolbar / menubar, making it very easy to upload a "test" file to test out an idea or solution. 

Danny Mack

Posted

I think another likely scenario, in addition to a "test" file, is when a user who has sufficient access, or an administrator who doesn't realize the risk, puts up a file that is not part of a secure solution... in which they don't consider the data to be critical.  Honestly, I have put many such files on servers in the past...  Thanks for identifying this issue, Steven.

  • Like 1
Steven H. Blackwell

Posted

Danny and Ocean West (aka D), you are both very welcome.  Thanks to both of you for your years of effort to aid the community better to understand security related items.

 

Steven

Richard Carlton

Posted

Thanks Steve... somewhere along the way... this didn't make it to my Radar.   Now it is.  - RC

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.