Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Serious Web Security problem

  •
simon1663
in Custom Web Publishing

Featured Replies

If you use the Web Security database for access control try this in Internet Explorer or any other utility to look at the XML generated:

http://localhost/FMPro?-db=Web%20Security.fp5&-format=-fmp_xml_dtd&-findall

http://localhost/FMPro?-db=Web%20User_.fp5&-format=-fmp_xml_dtd&-findall

As you can it gives out all the username and password - as well as databases and their opening password....

Any comment?

please email me if you have a solution or workaround...

[email protected]

[ March 22, 2002, 09:07 PM: Message edited by: simon1663 ]

This will only occur if you have the 'Web Security.fp5' database shared with WebCompanion. This database should not be shared.

Hope this helps.

Garry

  • Author

Web Security database (along with Web Users_.fp5) is automatically shared without having to enable sharing for Web Campanion.

Try it....

I am using FMDev 5.5

Filemaker will be in deep trouble if someone start hacking using this. Filemaker's own website was last month (I heard so in the FSA breakfast event from the demonstrator)

Simon -- it doesn't show in browser. And I have WebSecurity disabled in WebCompanion.

They are checked for access from Web, but disabled in WebCompanion.

Having said that, the whole security widow is widely open.

We had developed the "Security Filter". Do you want to try that?

And they should be set for Single User.

If possible all files should be single user. But sometimes files must be shared between FM.

  • Author

Guys,

I appreciate your comments/suggestions but

1. I do have sharing turned off for the web security databases ( they are all single user databases with no sharing or what so ever)

2. I do need to use the web security databases rather than using some middleware like PHP/ASP/JSP. If I had to use any of them I would use Oracle/MySQL as opposed to Filemaker.

3. Web Security database is shared (regardless whether the user wants it or not) on the web - if that is the preferred authentication method for web companion.

4. The Web Security database is not shown in the database open for instant web publishing but it is available via XML ( see my earilier posts).

Simon,

Go to 'Sharing' for the Web Security files and uncheck 'Web Companion'. This is not supposed to be checked!

You will not be able to access it via xml. It does not need 'Web Companion' checked to perform its security functions.

Garry

[ March 23, 2002, 09:08 PM: Message edited by: Garry Claridge ]

  • Author

>Go to 'Sharing' for the Web Security files and

>uncheck 'Web Companion'. This is not supposed to

>be checked!

Yes, it is unchecked but the data is still available via XML.

My development system and a number of client systems, which I can test right now, use Web Security. None of the Web Security files are accessible via xml. I have even just tested them again; you can never do enough security testing.

However, if I check 'Web Companion' in the 'Sharing' window they are available.

You may need to check if more than one host is running with 'Web Security' databases open!

All the best.

Garry

  • Author

Sorry pal,

It didn't work...

Give me your IP/ Or your client's IP and I will see if it can be hacked smile.gif

I am using FMDev5.5 - what are you using?

Can it be something to do with the WebCampinion plugin version??

Simon,

I'm using FMP 5.5v2

Try this site:

http://IP:port/FMPro?-db=Web%20Security.fp5&-format=-xml_fmp&-findall

You will be able to list two of the files on the site, however all other should be protected. You should not be able to list any of the 'Web Security' files.

All the best.

Garry

ps I've just taken the IP/port out of the url. If you didn't get a chance to test it send an email to me.

[ March 23, 2002, 10:19 PM: Message edited by: Garry Claridge ]

Simon,

Go to 'Sharing' and uncheck 'Web Companion' for all three files. They are not supposed to be shared.

I don't know why they are checked on your system. I have never seen a system where they are checked (enabled for Web Companion)!

All the best.

Garry

  • Author

Didn't get enough time to crack it because My dialup time was over

anyway, it is -fmp_xml as opposed to -xml_fmp I think

'-xml_fmp' was a typo in the message. However, something is wrong somewhere if you are able to access your 'Web Security' files via '-fmp_xml' and '-raw'.

A couple of comprehensive threads exsist on security. These started around January. One in particular, started by 'chazboi', eventuated in him writing a very handy piece of software for testing your security.

All the best.

Garry

Create an account or sign in to comment
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Account

Navigation

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.