OH CRA* FileMaker Server HACKED or.....

[Leb i Sol]

hi Guys!

Here is another VERY concerning security new:

http://www.securityspace.com/smysecure/catid.html?id=11586

Category: Remote file access

Title: FileMakerPro Detection

Summary: connects to port 49727 and says 'hello'

CVE: Not Available

Bugtraq ID: 7315

Description:

The remote host is running a FileMakerPro server on this port.

There is a flaw in the design of the FileMakerPro server which

makes the database authentication occur on the client side.

An attacker may exploit this flaw to gain access to your databases

without knowing their password, only by connecting to this port

with a rogue client.

Solution : Do not store any sensitive data in your FileMakerPro database.

Risk Factor : High

Copyright: This script is © 2003 Renaud Deraison

-----------------------------------

vulnerable FileMaker FileMaker Pro 5.0

- Apple MacOS 8.0

- Apple MacOS 8.1

- Apple MacOS 8.5

- Apple MacOS 8.6

- Apple MacOS 9.0

- Microsoft Windows NT 4.0

FileMaker FileMaker Pro 5.5 Unlimited

FileMaker FileMaker Pro 5.5

FileMaker FileMaker Pro 6.0 Unlimited

FileMaker FileMaker Pro 6.0

FileMaker FileMaker Server 5.0

FileMaker FileMaker Server 5.5

----------------------------------

solution ANYONE

[cjaeger]

that's what firewalls and vpn connections are made for ...

Rule # 1. do not put any sensitive data anywhere near the web - there is no such thing as a 100% secure web solution.

[Leb i Sol]

that's what firewalls and vpn connections are made for ...

I know...but still not a good news...VPNs are nice but not always possible - 1/2 static 1/2 DHCP on IPS side :

100% well in some sence everything is over the "wire" how ever you want to define it

we will see what FM support says...they didn't even know about it is what really scares me not the fact that I have to deal with it

[Garry Claridge]

The report seems a bit odd to me.

Re: There is a flaw in the design of the FileMakerPro server which

makes the database authentication occur on the client side.

Authentication does not occur on the client-side for WebCompanion.

It may be referring to a Server running as a service on a particular platform. Maybe they are saying that you can become localhost through that port and then access the database.

Also, why would you leave port 49727 open?

All the best.

Garry

[cjaeger]

the flaw affects filemakers ability to connect to remote databases (peer-to-peer or filemaker server), not web companion. so unless you turn multi-user access on, you should be fine ...

[Anatoli]

How you can connect to port 49727 with "rogue client"?

What is rogue client?

The whole report talks in strange language.

Anyway, does it affect port 5003? If not, what is the fuss about? Every sensible network has firewall.

[Leb i Sol]

Hi People!

I am sorry I don't have more info...I am waiting for FM techs to see what they have to say about it. As far as port # is concecerned...well even if you are running just a port 80 it still (in my mind) is an issue. I can't speak of Mac servers by I know that Win based systems will "talk" through port 80 ,and IF not specified on FireWall, other ports can become open...eg. Kazaa...runs on 1412 (or 1214 )but establishes connection using port 80 ... if 1412 is blocked by firewall another "high-number port" is assigned automatically.

Anyway, didn't mean to scare people just was wondering if anyone else has heard of this issue...FM support obvisoly didn't.

[Leb i Sol]

unless = yes

I do have multi-user since LAN people do most of the DB updates...remote users run of WebCompadre (#80 not #5003 due to speed issues)...sooooo

[cjaeger]

sooo block the port on the outside interface, but leave it open for your internal ips ... - provided your server has 2 NICs and an internal firewall ... or if server is running in a DMZ, i.e. a firewall is forwarding reqests on port 80 to your internal FileMaker server, simply block any other ports originating from your inside FileMaker Server and outside 49727.

Anyway, I could not connect to port 49727 on my machine running FMP 6 with Multi-User and Web Companion on ...

5003 and 80 worked ...

[Leb i Sol]

thanx cjaeger...that is good to know

I am not worried about the " network setup" but (see post above) more a about potential "port switching through #80" of this issue. As I said the report I got was so vague that it made a bit worried (not just for FM but other nodes)and on the top of it all....FM reps responded to this issue with a "HA!?...what port?"

I would rather be safe than sorry ...anyway I just though to share this info even if it turns out to be harmless