Serious Web Security problem

[simon1663]

If you use the Web Security database for access control try this in Internet Explorer or any other utility to look at the XML generated:

http://localhost/FMPro?-db=Web%20Security.fp5&-format=-fmp_xml_dtd&-findall

http://localhost/FMPro?-db=Web%20User_.fp5&-format=-fmp_xml_dtd&-findall

As you can it gives out all the username and password - as well as databases and their opening password....

Any comment?

please email me if you have a solution or workaround...

[email protected]

[ March 22, 2002, 09:07 PM: Message edited by: simon1663 ]

[Garry Claridge]

This will only occur if you have the 'Web Security.fp5' database shared with WebCompanion. This database should not be shared.

Hope this helps.

Garry

[simon1663]

Web Security database (along with Web Users_.fp5) is automatically shared without having to enable sharing for Web Campanion.

Try it....

I am using FMDev 5.5

Filemaker will be in deep trouble if someone start hacking using this. Filemaker's own website was last month (I heard so in the FSA breakfast event from the demonstrator)

[Anatoli]

Simon -- it doesn't show in browser. And I have WebSecurity disabled in WebCompanion.

They are checked for access from Web, but disabled in WebCompanion.

Having said that, the whole security widow is widely open.

We had developed the "Security Filter". Do you want to try that?

[Keith M. Davie]

And they should be set for Single User.

[Anatoli]

If possible all files should be single user. But sometimes files must be shared between FM.

[simon1663]

Guys,

I appreciate your comments/suggestions but

1. I do have sharing turned off for the web security databases ( they are all single user databases with no sharing or what so ever)

2. I do need to use the web security databases rather than using some middleware like PHP/ASP/JSP. If I had to use any of them I would use Oracle/MySQL as opposed to Filemaker.

3. Web Security database is shared (regardless whether the user wants it or not) on the web - if that is the preferred authentication method for web companion.

4. The Web Security database is not shown in the database open for instant web publishing but it is available via XML ( see my earilier posts).

[Garry Claridge]

Simon,

Go to 'Sharing' for the Web Security files and uncheck 'Web Companion'. This is not supposed to be checked!

You will not be able to access it via xml. It does not need 'Web Companion' checked to perform its security functions.

Garry

[ March 23, 2002, 09:08 PM: Message edited by: Garry Claridge ]

[simon1663]

>Go to 'Sharing' for the Web Security files and

>uncheck 'Web Companion'. This is not supposed to

>be checked!

Yes, it is unchecked but the data is still available via XML.

[Garry Claridge]

My development system and a number of client systems, which I can test right now, use Web Security. None of the Web Security files are accessible via xml. I have even just tested them again; you can never do enough security testing.

However, if I check 'Web Companion' in the 'Sharing' window they are available.

You may need to check if more than one host is running with 'Web Security' databases open!

All the best.

Garry

[simon1663]

Sorry pal,

It didn't work...

Give me your IP/ Or your client's IP and I will see if it can be hacked

I am using FMDev5.5 - what are you using?

Can it be something to do with the WebCampinion plugin version??

[Garry Claridge]

Simon,

I'm using FMP 5.5v2

Try this site:

http://IP:port/FMPro?-db=Web%20Security.fp5&-format=-xml_fmp&-findall

You will be able to list two of the files on the site, however all other should be protected. You should not be able to list any of the 'Web Security' files.

All the best.

Garry

ps I've just taken the IP/port out of the url. If you didn't get a chance to test it send an email to me.

[ March 23, 2002, 10:19 PM: Message edited by: Garry Claridge ]

[Garry Claridge]

Simon,

Go to 'Sharing' and uncheck 'Web Companion' for all three files. They are not supposed to be shared.

I don't know why they are checked on your system. I have never seen a system where they are checked (enabled for Web Companion)!

All the best.

Garry

[simon1663]

Didn't get enough time to crack it because My dialup time was over

anyway, it is -fmp_xml as opposed to -xml_fmp I think

[Garry Claridge]

'-xml_fmp' was a typo in the message. However, something is wrong somewhere if you are able to access your 'Web Security' files via '-fmp_xml' and '-raw'.

A couple of comprehensive threads exsist on security. These started around January. One in particular, started by 'chazboi', eventuated in him writing a very handy piece of software for testing your security.

All the best.

Garry