Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

web security db and -find

clevow
in Custom Web Publishing

Featured Replies

I'm having a problem with the web security database. I didn't know it existed until an hour ago, so I'm new to it.

Web Security DB is set up as:

All Databases

All Users (no password): Browse Create Edit

Field name "sodsc": Exact Search

There is no security set up on the database called "PROJECTS.FP5" which is the one I'm working on now.

The URL that I'm using is:

http://xxxxxxxxxx:591/projects/FMPro?-db=PROJECTS.FP5&-format=search_results.html&-lay=Project&-Error=search_results.html&sodsc=EP9D43o5iQ5L&-find=

I get a javascript pop up returned that says:

Access Restriction:

You do not have access privileges to perform the action: find

There is at least one record in the PROJECTS.FP5 database that has the field sodsc equal to EP9D43o5iQ5L.

For the record, I'm using FMP 5.5 on a Win2k box running IIS. I'm using custom web publishing, security is set to use the web security database.

Why am I getting this error?

Thanks for your help,

Carrie

I would remove the "Exact Search" restriction, I believe this is causing the security violation.

All the best.

Garry

First, All Databases should be deleted.

Next, create a new record project.fp5 and set your permissions.

Also, you may want to visit the FileMaker site and find (and read) the .pdf document on Web Security. It is sort of interesting to a FM developer.

Also you need to be aware of the problems associated with a single-threaded ScriptMaker engine encountering near-simultaneous requests over the mutli-threaded www. If you do not take precautions in this regard you may find that data gets lostg while a client gets mis-informed. This issue has been widely discussed on the Internet forums over the past year. Do not dismiss this as unlikely to occur.

I am now scheduled to get a broadband hook-up this Monday. However, this hook-up was promised three weeks ago, so we'll see. (I'm posting this from a public library.) In any event, once I get set up and get a couple of days to trouble-shoot and tie up some loose ends, I will be posting that site on the cdml forum. It will provide a demonstration of the workaround to the script problem. You will be able to test it for yourself at that time. Prior to that, you may want to make yourself aware of the problem as it exists. A lot of info has been posted on the cdml forum.

SIMPLIFY ...

Keith

[ January 25, 2002: Message edited by: Keith M. Davie ]

RE: Ultimately, what I'm trying to do is have as secure a database as possible without having users enter ids and passwords.

No way with FileMaker frown.gif" border="0

Anyone can list all your records in any database in any layout and call any script by name. Search forum for this...

How does the user enter their "Username", and how is the "sodsc" generated for each session (i.e. how is the URL formed containing the "sodsc")?

You may be able to use a combination of Cookies, [FMP-IF] and [FMP-Include] tags in the first format page called by the URL.

There are ways!

Garry

  • Author

Shouldn't All Databases work? I'm going to need this for all my databases; I just happen to be working on the one right now.

Where do scripts come into play at all with this? I'm not running any scripts in my databases, and as far as I can tell the security databases don't have any that matter. I have read the forum pretty extensively about scripting and have been convinced that avoiding them is a good idea. So far, that's been perfectly fine.

Anatoli, I'm not looking for any major security here, just some. If I can restrict access to all records that aren't associated with that 12 digit string, no one should be able to look at those other records. I know that string will be visible, but it's pretty darn hard to crack a 12 digit randomly generated string.

The users of this database will be 20 staff members of mine, all of whom are undergraduate computer geeks. That's why I need security at all, just to keep them from easily screwing stuff up.

No one will have delete access to anything, if I can help it, and no one will be able to submit anything under someone else's ID (campus security scheme will prevent that). So as long as I can make it very difficult to get view access to certain records, I'll be okay.

-Carrie

  • Author

Garry,

The users enter the site via a CGI that uses our campus authentication scheme (WRAP). They have to enter their campus username and password in order to gain access to the CGI at all. There is no way around this. They will get dumped back to that login screen from any web page they try to access.

Contained within that CGI is a bunch of "if" statements that say if username=X then sodsc=12 digit string. I have a finite number of users, currently ~20 so that's not a big deal. These are my staff members, and there will never be that many. I've got 50 12-character strings, just in case.

The URL is formed with the CGI saying to substitute the correct sodsc in the place of $sodsc:

$url="http://xxxxxxx:591/projects/FMPro?-db=PROJECTS.FP5&sodsc=$sodsc&-format=search_results.html&-lay=Project&-Error=search_results.html&-token=$user&-find=";

print "Location: $urlnn";

[ January 25, 2002: Message edited by: Carrie ]

You could also assign the 'sodsc' to a second token, as such:

&sodsc=$sodsc&-format=search_results.html&-lay=Project&-Error=search_results.html&-token.1=$user&-token.2=$sodsc&-find="

Then at the beginning of the 'search_results.html' page have:

[FMP-If: CurrentToken:2 .eq.]

[FMP-Include: noway.html]

[FMP-Else]

either have the original html of 'search_results.html' or include another file.

[/FMP-If]

This may add some security.

Garry

  • Author

Hmmm....

I could do if current token = the sodsc on that record, view the record else noway.html.... that might work. I'll give that try. Thanks a lot.

-Carrie

RE: If I can restrict access to all records that aren't associated with that 12 digit string, no one should be able to look at those other records.

How? You can't. Read this forum on Web Security issues.

Just try http://yourURL:591/FMPro?-db=youranydb.fp5&-format=-raw&-findall if you are serving on port 591. Or without the :591

shocked.gif" border="0

  • Author

but if the web security database has the "exactsearch" option selected for the sodsc field, then the findall command is disabled essentially. or so i thought....

  • Author

I need to keep the exact search for security purposes.

Ultimately, what I'm trying to do is have as secure a database as possible without having users enter ids and passwords. As it stands now, I have a script that reads in a username from our campus authentication scheme. It then assigns a preselected 12 character random string as the field "sodsc." A find is performed via the URL I listed before. I'm trying to prevent someone from just taking the sodsc=xxxx out of the URL and being able to find all the records in the database. If it is required that string match exactly, they can't just eliminate it. And if they manage to guess or crack someone else's 12 character random string, more power to them.

Thanks,

Carrie

smile.gif" border="0

This has nothing to do with your security settings! Everyone in the world equipped with Internet connection and browser can list all your as well as mine databases WITHOUT ANY PASSWORD WHATSOEVER.

Until FMI does something about that FM is WIDE OPEN TO EVERYONE!

It is job for around 1 hour, and FMI is just neglecting this.

Because FMI doesn't respond to any of such reports I will probably post report of this major security hole to all boards everywhere. FMI is behaving much worse, than Microsoft.

mad.gif" border="0

Carrie,

I was just looking over your original question and found that the URL was missing the "&-op=eq&" tag. Including this will allow you to do what you wish. In combination it with the [FMP-If] and [FMP-Include] tags you can feel reasonably secure.

I tested "Web Security/Exact Match" with '-raw' and '-fmp_xml' and '-findall'. It excluded all attempts.

All the best.

Garry

  • Author

Cool. Thanks. I'll check that out tomorrow when I'm back at work. If that doesn't work, I'll check into the other solution you offered.

Thanks for the help.

-Carrie

RE: Carrie,

I was just looking over your original question and found that the URL was missing the "&-op=eq&" tag. Including this will allow you to do what you wish. In combination it with the [FMP-If] and [FMP-Include] tags you can feel reasonably secure.

I tested "Web Security/Exact Match" with '-raw' and '-fmp_xml' and '-findall'. It excluded all attempts.

All the best.

Garry

Garry,

this has nothing to do with Web Security database!

The command FMPro?-db=database.fp5&-format=-raw&-findall can be executed with or without setting in Security Database, just try that.

Even if you will disable all access it still displays everything from the database.

Let's do the test. Give me URL address of your hosted database and I will see everything from it.

Did you look at the thread "Security Loophole"? There is even tool for displaying everything from this talented "chazboi" gentleman!

For reasons having nothing to do with CDML or XML, I don't think this database is very secure.

Old Advance Man

That is correct. I had port 5003 open on my router (Apple Airport). I just use this for testing. I've now closed that port on the router and the new IP is 210.84.184.26

We are currently testing the 'strength' of the "Exact Search" feature of the "Web Security" database. Any positive input appreciated!

All the best.

Garry

IMHO -- the "Exact Search" is displaying just result from single field with "Exact Search".

How do you then display another 100 fields? They cannot be "Exact Search" matched in WS databases.

As soon that will be in use, with the -raw format all fields (maybe without the "Exact Search" field) are downloadable.

Your "Exact Search" is not working for http://210.84.184.26:1154/FMPro?-dbnames not for http://210.84.184.26:1154/FMPro?-db=combotest.fp5&-layoutnames and not for http://210.84.184.26:1154/FMPro?-db=combotest.fp5&-scriptnames

That is real problem in any security requirements.

I just received first two protection programs.

First is blocking application, doesn't work very well and the second is for Mac based on modification (hacking) of WC.

RE: Exact search.

This link is the right syntax for Exact search:

http://localhost/FMPro?-db=test.fp5&-Op=eq&id=1&-format=-raw&-find

It also reveals all content of all fields + names of fields.

To use the exact search for slightly better security there are 2 ways:

1. hidden field. That is ok until hacker gets the hidden field, work for 1 minute.

2. all users must enter "secret code" into "exact search" field. That will be the best security so far, but who wants to bother user with that?

Any other ideas?

Any fields with "Dont Show" checked in the "Web Security" database will not return data with the '-raw' format.

This could be a pain setting-up a lot of fields which need to be protected. However, it does the job of hiding the data.

I'm learning more everyday!

All the best.

Garry

That is very unlikely someone can really use that. Other people might need that. Furthermore, to use fixed value "exact search" is no security at all. That is good for password fields, direct access to not shared info etc.

Have good day! I am going to bed smile.gif" border="0

Anatoli,

I have tested it. Here is the URL for a test database; this is a dial-up however the IP address should be OK for about the next 6 hours.

http://210.84.184.26:1154/FMPro?-db=combotest.fp5&-format=-raw&-findall

I have an exact match restriction on the field "tryme". Try the values "hello" and "help"; I only have two records in the database.

Good Luck.

Garry

Sorry for the delay in responding, I've been having 'puter troubles. Am responding from a public library today.

On the 25th Carrie asked (I assume in regards to my earlier response), "Where do scripts come into play at all with this?"

Gee, I don't know Carrie. I guess it was your statement prior to my response which went, "As it stands now, I have a script that reads in a username from our campus authentication scheme. It then assigns a preselected 12 character random string as the field "sodsc.""

I took that statement to mean what it said. Sorry to have troubled you with my response to it.

SIMPLIFY ...

Keith

  • Author

ah. my script is external to filemaker. it's a perl script that generates the URL that does the initial find in filemaker. i'm trying really hard not to use scripts within filemaker, at least for the web.

Happily, the answer is "nothing". Nothing happens when localhost is the front door. Nothing happens when localhost is the FMP machine. Cool huh? Tell the people at IPNetSentry that Dr.J sent you.

I have employed the following set-up to enhance security. Webstar on one Macbox, filemaker on a separate Macbox which runs IPNetsentry set to exclude all remote requests other than those coming from the front door Webstar server.

IPNetSentry is designed to monitor and filter and block various types of requests to the TCP/IP connection. It can be set up to block all requests to filemaker other than those coming from your own server. Seems to work, but I'm no pro.

http://www.sustworks.com/site/prod_ipns_overview.html

Great! It is probably based on the same principle like we are developing for Windows.

FM did lousy job with security in WebCompanion frown.gif

Wow

what kind of application is Filemaker that can expose critical data to hackers.

I put to work all hacking commands in the filemaker website, and they really don't work. It is consequence of the use of apache servers that can denied any specific URl. I read somewhere else in this forum that eith the use of apache and some url restrictions you can avoid the problem with this hacking code.

Does anybody have a list of this hacking code, and some way to protect from hackers. What will happened with custom security or login solutions based in filemaker, should we move to a web server solution??

regards,

cAmcOrp

cAmcOrp,

The two main offenders are the '-raw' and '-fmp_xml' tags. However, use of the 'Web Security' database can reduce their effectiveness in some situations. The use of a web server with 'FM Unlimited' and the 'Web Connector' can also help.

All the best.

Garry

On Jan. 27, Garry wrote, "Any fields with "Dont Show" checked in the "Web Security" database will not return data with the '-raw' format."

I think I see a problem in this discussion.

-----

I have format files and a db which I used for this test, events_.fp3. I set Web Security for events_.fp3 as follows:

User Name: all users

User Password: blank (none)

User Permissions: blank (none)

Field Name: Field Restrictions:

expire Don't Show

toady Don't Show

parse Don't Show

Run over a fake LAN I can display data from these fields called by html/cdml vis a vis my format files and on a record-by-record basis.

When I use the force command (&-format=-raw&-findall) in the url I can display all the data in all the fields in all the records from that db in my browser window.

Let's say you have a site which, when accessed, pops-up a window which requires a name and password (the standard FileMaker entry). For the public you tell them enter the word "ethereal". When they do they gain access to certain databases and format files. When you or your trusted parties get this dialog box they enter their name and individual password and get access to other databases through their browser. If a public client uses something like D-Base the "private" databases will be listed (in D-Base, assuming it is used) since those db files are being served through WC over the web at the xxx.xxx.xxx.xxx which is also displayed. That "private", password protected database can have all its data accessed and displayed in a browser even with all the field restrictions checked through the use of the force command.

--

I'm not sure, but I think we are talking about two different things. I believe that Garry is referring to using a cdml tag which includes the raw parameter on a format file, and that such a tag will not display data if the field has been marked "Don't Show" in Web Security.

[ February 12, 2002, 02:32 PM: Message edited by: Keith M. Davie ]

The FileMaker site interrogated with http://prdb.filemaker.com/FMPro?-dbnames URL is sending to the browser:

0 ets fsa_stories poweredby etspr_login_temp etspr_login ets_Questionnaire_temp ets_Questionnaire contacts fm_newsletter web_survey xmlstory madewithfm resellers PlugInReg tirelevence ti contactsales customerassistance PRYourStory Evaluation Stories intl PReval Press_Edit PressExt PRCustStories PR feedback jobsext jobemail Web Fields_ Web Security

The link http://tidb.filemaker.com/ti/FMPro?-db=ti.fp5&-findall=&-format=-raw

is also working.

To use "don't show" is OK for fields, which are not for web which in my design is around 10%.

To use "exact search" is OK in some cases, but not always.

WSC offers no protection, but some kind of filter, proxy filter can help in 10-100%.

Here what I have found using:

http://ip:port/FMPro?-db=mydb.fp5&-format=-raw&-findall

and "Web Security" as:

'All Users' : 'Browse'

A number of fields ??? 'Don't Show'

The result is that all the field names are shown, however the data for those fields is not displayed.

Hope this is what others are experiencing!!!

Garry (nervous)

Ok, I set the fields in events_.fp3 (this is the same db and format files I used in the Turansky thread, but in FMPro 4.0v3) to Browse and Don't Show in Web Security.fp3. After that I shut my Mac down for the night. Now I've restarted and rechecked my work over a fake LAN (flan), using address 198.0.0.1.

As I cruise through my browser I get a url to appear:

http://198.0.0.1/fmpro?-db=events_.fp3&-format=list.htm&expire=<=&expire=2/13/2002&-find

I edit that url to:

http://198.0.0.1/fmpro?-db=events_.fp3&-format=-raw&-findall

When I hit the return key (Mac), all the data in all the fields from all the records are displayed in the browser.

I will now go do the same in FMPro 5 and see if I get different results. If so, then the problem will exist only with 4.0. I'll report back soon.

Ok. I tried this in Pro 5.0v3. Used the same permissions/restrictions as above (and same as Garry's) and again was able to display all the data in all the fields of all the records.

I don't know what I am missing.

Regarding Anatoli's post of 2/12. He gives two links to FileMaker. The first (not a public site) does display the field names only. The second, "The link http://tidb.filemaker.com/ti/FMPro?-db=ti.fp5&-findall=&-format=-raw is also working.", reveals the field names and what appears to be all the data from all the records. Yet it also appears much as a Read Me for Pro 5.5.

"0 23 artnmbr title article datemade datemod product platform articleshort artsearch faxanscat relevancecalc relevancestatic wordsearchtext wordsearchcalc wordsearchextract articlebold articleboldOLD ftp_marker

ftp_mac ftp_pc article_count datemod_month_calc datemod_sort_cal ffffft15t6ffffffffffffffff ttttttttttttttttttttttt nccddcccccccccccccccnnn eeeeeeeeeeeeeeeeeeeeeee 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 107823 FileMaker Pro 5.5 Unlimited Readme Thank you for licensing a FileMaker product. March 05, 2001 This file contains additional information and known issues regarding FileMaker Pro 5.5: ..."

What am I missing?

Regarding Anatoli's other link which was posted 2/12,

"The FileMaker site interrogated with http://prdb.filemaker.com/FMPro?-dbnames URL is sending to the browser:

0 ets fsa_stories poweredby etspr_login_temp etspr_login ets_Questionnaire_temp ets_Questionnaire contacts fm_newsletter web_survey xmlstory madewithfm resellers PlugInReg tirelevence ti contactsales customerassistance PRYourStory Evaluation Stories intl PReval Press_Edit PressExt PRCustStories PR feedback jobsext jobemail Web Fields_ Web Security ",

the thought occurs to me that it is possible that only field names and no data are showing because there is only one record and it is void of data.

As I mentioned above, I've been trying things on a fake lan (flan).

Well I decided to try things with my website. Here is some of what I have found. The online experience is a bit different than the flan.

When I set the field username to "Don't Show" in one db, the username did not show in the force action. Unfortunately it did not show on the web page either.

Similarly, when I set some other fields to "Don't Show" certain finds did not work.

Conclusion: While it is possible to "hide" certain fields and their data, other fields cannot be so restricted. Other steps can be taken.

Fortunately I am using scripts. Because of that I can remove some data completely to db files which are not web enabled. Of the four db's which are web enabled, one contains no records. Two maintain one blank record, though more records can accumulate should the user quit the site, and those db's require regular housekeeping chores. The fourth db is basically a list of usernames and a bunch of numbers. Even though this data can be viewed by the force action, it is rather harmless.

If any of the experts out there are able to determine the number of db's which my site uses which are not web connected and what their file names are, I think we would all be interested.

Meanwhile, anyone interested can try these links:

http://www.simplifyfm.com:591/simply/fmpro?-db=signon_.fp3&-format=-raw&-findall

http://www.simplifyfm.com:591/simply/fmpro?-db=long_.fp3&-format=-raw&-findall

http://www.simplifyfm.com:591/simply/fmpro?-db=simply_.fp3&-format=-raw&-findall

http://www.simplifyfm.com:591/simply/fmpro?-db=show_.fp3&-format=-raw&-findall

Also, there has been mention of being able to run scripts once their names are known. Well I guess that if you use D-Base you will be able to get the script names in these four db files. If anyone can get a script to run from that information I think we would all like to know how you accomplished that.

Thank you.

Keith,

I'm not sure if that was me or not. However, I used Charlies program to get the script names. Then I included '-script=copya' in the url.

I couldn't tell what it was doing, though.

Garry

Fortunately I am using scripts. Because of that I can remove some data completely to db files which are not web enabled. Of the four db's which are web enabled, one contains no records. Two maintain one blank record, though more records can accumulate should the user quit the site, and those db's require regular housekeeping chores. The fourth db is basically a list of usernames and a bunch of numbers. Even though this data can be viewed by the force action, it is rather harmless.

Keith, I know you are hard working man. But your scripts will not work on heavy load in single Unlimited -- the most used configuration.

It will not pass through my testing procedure regardless of any workarounds good or bad.

The testing is in IE:

Standard page is using -max 10-15.

Test page is using -max 50 and will display not only found records, but also chapter with 1-3k text and no caching is allowed at all.

On the bottom of result page there is JavaScript immediately firing another second test page with different search logic.

Second page is triggering third page, which is submitting page full of data to generate mew record in FileMaker database in size 30k.

After submit is done another, fourth page is called to display yet another search result.

You get quite load with this. And again loop to first request.

The same test is started in Navigator browser.

Everything is running on 100Mb Ethernet.

And then is starting another computer the same firing squad test with multiple browser requests.

The result is full load on FileMaker. Fast HD is singing under this load. Pages are blinking fast.

I doubt, that shifting data in and out with scripts will work for hours in this test, consistently and in average speed 6-9 request per second.

That is load.

Probably was Garry.

Anatoli you wrote, "... your scripts will not work on heavy load in single Unlimited -- the most used configuration. It will not pass through my testing procedure regardless of any workarounds good or bad."

When you say "your scripts", are you running your test program on my site which contains my scripts? Or have you constructed your own scripts based on the example of the workaround which I sent you last April, and those are what you are testing? I am not quite following what you are doing.

To elucidate a bit further on Garry's activity, you may receive a FileMaker message, or if you use a findall, you may get a browser force to appear. However, as the client you have know way of knowing if you have affected a db or run the script.

Under such load it is impossible to shift something from database to another database via script and back. This round trip will take longer time, than 3-5 replies from WC under that stress. So when the data will be there, already noting is valid any more in the database.

Sorry, scripts are not for web with heavy load.

Just from curiosity, how many of such "round trips" can computer manage per second?

And how many with heavy load from WC?

Anatoli, I understand you are talking theory. Therefore I must assume that you have not tried to run a script which would handle the data load about which you posted.

In theory, what would you say is the maximium time length for a script and its subscripts to run under the load about which you are Speaking?

Less than 250 milliseconds

Less than 100 millisedonds

Less than 50 milliseconds

If less than 50 milliseconds, how many milliseconds?

Please notice that the scripts which I constructed for my demonstration were purposely designed in a cumbersome way in order to increase the time of their running such that the opportunity to create an error page is greatly enhanced for the curious Developer who is following the instructions which are contained in the website.

Also, it is obvious that the security issue of this thread needs further investigation. As a Developer, you can be assured that I will be striving to find an answer.

"If anyone can get a script to run from that information I think we would all like to know how you accomplished that."

Ok. How did you accomplish that?

Even 50 milliseconds is long time. When you finish the transfer, and you release the thread, there is another 1-5 CDML requests waiting in cue and one will be picked as the next. Thus all results shown in FM are lost.

In FileMaker code is not single mechanism which will halt ALL request from WC plugin until another job is finished. Did you tried to work in FM Unlimited while connected to web with some load? That is simply impossible.

Yes, if there is some kind of flag, which I can set, and everything will stay in cue until I released this flag, then yes, we can do lot. In multi-user scenario it can be done with scripts because everything can be processed with scripts.

But not in WebCompanion unless EVERYTHING is running through scripts and not from CDML. In that case I will need 10 RAIC system to replace single Unlimited.

Create an account or sign in to comment

https://fmforums.com/topic/1170-web-security-db-and-find/
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.