Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

Security Hole

iain

By iain
in Security Concepts

 Share

This topic is 8387 days old. Please don't post here. Open a new topic instead.

Recommended Posts

iain Explorer

iain

Posted
Posted

If I type this command into my browser address bar I get a full list of all

the databases I am serving on the website

fmpro?-dbnames=&-format=-dso_xml

If I type this command into my browser address bar I get a complete listing

of every field name and all the data stored in the database .

FMPro?-db=database.fp5&-format=-dso_xml&-max=all&-Findall

I am even able to change the command to this

FMPro?-db=database.fp5&-format=-dso_xml&-RecId=34319&-Delete

and delete the record.

Are there any Filemaker Web Security documents out there?

How can I prevent this from happing?

Many Thanks In Advance

Vaughan Grand Master

Vaughan

Posted
Posted

The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk -- unless your main strategy is stealth of course! Stealth is never a good strategy by itself.

The -delete is only possible because the database either has no password security or you are already logged-in with a password that allows delete privileges.

Anatoli Grand Master

Anatoli

Posted
Posted

RE: The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk

----------------

That is not so bad.

Bad is, that anyone can display all complete data from every database which is served to web. It is without formatting in "raw" form and all I can say is that FileMaker Inc. did very lousy security job with this non-existent protection.

Hopefully our server guy is working on solution for us. He successfully blocked that part, but with his filter running we cannot (yet) post any data to our databases from browsers.

Vaughan Grand Master

Vaughan

Posted
Posted

Anatoli -- How? Doesn't the password stop them? If there is no password for browse/export then it fine.

Steven H. Blackwell Grand Master

Steven H. Blackwell

Posted
Posted

Metadata about any FileMaker Pro 5 or FileMaker Pro 5.5 file served to the web can be called with an appropriate URL.

The delete item is another issue; the file probably should not allow this to occur. This is a password privilege issue.

HTH

Old Advance Man

This topic is 8387 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept