Jump to content

Serious Web Security problem


simon1663
 Share

This topic is 7149 days old. Please don't post here. Open a new topic instead.

Recommended Posts

If you use the Web Security database for access control try this in Internet Explorer or any other utility to look at the XML generated:

http://localhost/FMPro?-db=Web%20Security.fp5&-format=-fmp_xml_dtd&-findall

http://localhost/FMPro?-db=Web%20User_.fp5&-format=-fmp_xml_dtd&-findall

As you can it gives out all the username and password - as well as databases and their opening password....

Any comment?

please email me if you have a solution or workaround...

[email protected]

[ March 22, 2002, 09:07 PM: Message edited by: simon1663 ]

Link to comment
Share on other sites

Web Security database (along with Web Users_.fp5) is automatically shared without having to enable sharing for Web Campanion.

Try it....

I am using FMDev 5.5

Filemaker will be in deep trouble if someone start hacking using this. Filemaker's own website was last month (I heard so in the FSA breakfast event from the demonstrator)

Link to comment
Share on other sites

Simon -- it doesn't show in browser. And I have WebSecurity disabled in WebCompanion.

They are checked for access from Web, but disabled in WebCompanion.

Having said that, the whole security widow is widely open.

We had developed the "Security Filter". Do you want to try that?

Link to comment
Share on other sites

Guys,

I appreciate your comments/suggestions but

1. I do have sharing turned off for the web security databases ( they are all single user databases with no sharing or what so ever)

2. I do need to use the web security databases rather than using some middleware like PHP/ASP/JSP. If I had to use any of them I would use Oracle/MySQL as opposed to Filemaker.

3. Web Security database is shared (regardless whether the user wants it or not) on the web - if that is the preferred authentication method for web companion.

4. The Web Security database is not shown in the database open for instant web publishing but it is available via XML ( see my earilier posts).

Link to comment
Share on other sites

Simon,

Go to 'Sharing' for the Web Security files and uncheck 'Web Companion'. This is not supposed to be checked!

You will not be able to access it via xml. It does not need 'Web Companion' checked to perform its security functions.

Garry

[ March 23, 2002, 09:08 PM: Message edited by: Garry Claridge ]

Link to comment
Share on other sites

My development system and a number of client systems, which I can test right now, use Web Security. None of the Web Security files are accessible via xml. I have even just tested them again; you can never do enough security testing.

However, if I check 'Web Companion' in the 'Sharing' window they are available.

You may need to check if more than one host is running with 'Web Security' databases open!

All the best.

Garry

Link to comment
Share on other sites

Simon,

I'm using FMP 5.5v2

Try this site:

http://IP:port/FMPro?-db=Web%20Security.fp5&-format=-xml_fmp&-findall

You will be able to list two of the files on the site, however all other should be protected. You should not be able to list any of the 'Web Security' files.

All the best.

Garry

ps I've just taken the IP/port out of the url. If you didn't get a chance to test it send an email to me.

[ March 23, 2002, 10:19 PM: Message edited by: Garry Claridge ]

Link to comment
Share on other sites

'-xml_fmp' was a typo in the message. However, something is wrong somewhere if you are able to access your 'Web Security' files via '-fmp_xml' and '-raw'.

A couple of comprehensive threads exsist on security. These started around January. One in particular, started by 'chazboi', eventuated in him writing a very handy piece of software for testing your security.

All the best.

Garry

Link to comment
Share on other sites

This topic is 7149 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.