Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security Hole

iain
in Security Concepts

Featured Replies

If I type this command into my browser address bar I get a full list of all

the databases I am serving on the website

fmpro?-dbnames=&-format=-dso_xml

If I type this command into my browser address bar I get a complete listing

of every field name and all the data stored in the database .

FMPro?-db=database.fp5&-format=-dso_xml&-max=all&-Findall

I am even able to change the command to this

FMPro?-db=database.fp5&-format=-dso_xml&-RecId=34319&-Delete

and delete the record.

Are there any Filemaker Web Security documents out there?

How can I prevent this from happing?

Many Thanks In Advance

The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk -- unless your main strategy is stealth of course! Stealth is never a good strategy by itself.

The -delete is only possible because the database either has no password security or you are already logged-in with a password that allows delete privileges.

RE: The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk

----------------

That is not so bad.

Bad is, that anyone can display all complete data from every database which is served to web. It is without formatting in "raw" form and all I can say is that FileMaker Inc. did very lousy security job with this non-existent protection.

Hopefully our server guy is working on solution for us. He successfully blocked that part, but with his filter running we cannot (yet) post any data to our databases from browsers.

Anatoli -- How? Doesn't the password stop them? If there is no password for browse/export then it fine.

Metadata about any FileMaker Pro 5 or FileMaker Pro 5.5 file served to the web can be called with an appropriate URL.

The delete item is another issue; the file probably should not allow this to occur. This is a password privilege issue.

HTH

Old Advance Man

Create an account or sign in to comment

https://fmforums.com/topic/4428-security-hole/
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.