Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

Serious Web Security problem

simon1663

By simon1663
in Custom Web Publishing

 Share

This topic is 8271 days old. Please don't post here. Open a new topic instead.

Recommended Posts

simon1663 Enthusiast

simon1663

Posted
Posted

If you use the Web Security database for access control try this in Internet Explorer or any other utility to look at the XML generated:

http://localhost/FMPro?-db=Web%20Security.fp5&-format=-fmp_xml_dtd&-findall

http://localhost/FMPro?-db=Web%20User_.fp5&-format=-fmp_xml_dtd&-findall

As you can it gives out all the username and password - as well as databases and their opening password....

Any comment?

please email me if you have a solution or workaround...

[email protected]

[ March 22, 2002, 09:07 PM: Message edited by: simon1663 ]

simon1663 Enthusiast

simon1663

Posted
  • Author
Posted

Web Security database (along with Web Users_.fp5) is automatically shared without having to enable sharing for Web Campanion.

Try it....

I am using FMDev 5.5

Filemaker will be in deep trouble if someone start hacking using this. Filemaker's own website was last month (I heard so in the FSA breakfast event from the demonstrator)

Anatoli Grand Master

Anatoli

Posted
Posted

Simon -- it doesn't show in browser. And I have WebSecurity disabled in WebCompanion.

They are checked for access from Web, but disabled in WebCompanion.

Having said that, the whole security widow is widely open.

We had developed the "Security Filter". Do you want to try that?

simon1663 Enthusiast

simon1663

Posted
  • Author
Posted

Guys,

I appreciate your comments/suggestions but

1. I do have sharing turned off for the web security databases ( they are all single user databases with no sharing or what so ever)

2. I do need to use the web security databases rather than using some middleware like PHP/ASP/JSP. If I had to use any of them I would use Oracle/MySQL as opposed to Filemaker.

3. Web Security database is shared (regardless whether the user wants it or not) on the web - if that is the preferred authentication method for web companion.

4. The Web Security database is not shown in the database open for instant web publishing but it is available via XML ( see my earilier posts).

Garry Claridge Grand Master

Garry Claridge

Posted
Posted

Simon,

Go to 'Sharing' for the Web Security files and uncheck 'Web Companion'. This is not supposed to be checked!

You will not be able to access it via xml. It does not need 'Web Companion' checked to perform its security functions.

Garry

[ March 23, 2002, 09:08 PM: Message edited by: Garry Claridge ]

simon1663 Enthusiast

simon1663

Posted
  • Author
Posted

>Go to 'Sharing' for the Web Security files and

>uncheck 'Web Companion'. This is not supposed to

>be checked!

Yes, it is unchecked but the data is still available via XML.

Garry Claridge Grand Master

Garry Claridge

Posted
Posted

My development system and a number of client systems, which I can test right now, use Web Security. None of the Web Security files are accessible via xml. I have even just tested them again; you can never do enough security testing.

However, if I check 'Web Companion' in the 'Sharing' window they are available.

You may need to check if more than one host is running with 'Web Security' databases open!

All the best.

Garry

simon1663 Enthusiast

simon1663

Posted
  • Author
Posted

Sorry pal,

It didn't work...

Give me your IP/ Or your client's IP and I will see if it can be hacked smile.gif

I am using FMDev5.5 - what are you using?

Can it be something to do with the WebCampinion plugin version??

Garry Claridge Grand Master

Garry Claridge

Posted
Posted

Simon,

I'm using FMP 5.5v2

Try this site:

http://IP:port/FMPro?-db=Web%20Security.fp5&-format=-xml_fmp&-findall

You will be able to list two of the files on the site, however all other should be protected. You should not be able to list any of the 'Web Security' files.

All the best.

Garry

ps I've just taken the IP/port out of the url. If you didn't get a chance to test it send an email to me.

[ March 23, 2002, 10:19 PM: Message edited by: Garry Claridge ]

Garry Claridge Grand Master

Garry Claridge

Posted
Posted

Simon,

Go to 'Sharing' and uncheck 'Web Companion' for all three files. They are not supposed to be shared.

I don't know why they are checked on your system. I have never seen a system where they are checked (enabled for Web Companion)!

All the best.

Garry

Garry Claridge Grand Master

Garry Claridge

Posted
Posted

'-xml_fmp' was a typo in the message. However, something is wrong somewhere if you are able to access your 'Web Security' files via '-fmp_xml' and '-raw'.

A couple of comprehensive threads exsist on security. These started around January. One in particular, started by 'chazboi', eventuated in him writing a very handy piece of software for testing your security.

All the best.

Garry

This topic is 8271 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept