Securing your solution (security hole in FMP)

[Deep Thought II]

i dont know whether this issue has been addressed before in FM or here, but here is an issue that's to be awared of if you have customized solutions distributed in some way.

this issue concerns the resetting of passwords for database files made with any version of FileMaker prior to FMP 7v3.

if admin rights are not stripped for the file, a program may "reset" its password and gain administrative access quickly.

in short, this issues concerns:

----- any database files made with FMP prior to 7v3, including runtime solutions

a small password resetting program allows the users to:

----- reset all passwords for all accounts in a database file in a short time (few seconds, actually)

----- gain administrative rights if admin access is not stripped from the file

Solutions to this issue (at the present) are:

----- recreate your database file in FMP 7v3

----- strip away admin account

----- protect your database file by hiding it somewhere

----- encrypt the file in some way using third-party softwares

----- pray that your users dont have such a program

----- etc.

however, any database files created with versions prior to FMP 7v3 are viable for being hacked. even if the admin rights are stripped from the database file, the user may still gain passwords of other accounts once the location of the database file is known.

*** the database file must be *created* in FMP 7v3, using "Recovery" or "File Maintainence" in FMD 7v3 does not convert the file to FMP 7v3.

[Wim Decorte]

There are readmes and at least one TechInfo article that states that using only passwords does not guarantee 100% security.

Physical security of the files (and the machine running FMS) is equally important as strong passwords.

[Reed]

Where did you hear about this? Has FMI acknowledged this?

[Deep Thought II]

not sure if FMI has acknowledged this, but surely the changes they made in FM 7v3 indicates that they might be aware of it, tho not completely certain.

i became aware of one of such programs on internet recently.

[Computer Geek]

I think that passaware does exactly what you said for $40 bucks. There should be some threads from about a month or so ago if you want more information.