iain Posted December 6, 2001 Share Posted December 6, 2001 If I type this command into my browser address bar I get a full list of all the databases I am serving on the website fmpro?-dbnames=&-format=-dso_xml If I type this command into my browser address bar I get a complete listing of every field name and all the data stored in the database . FMPro?-db=database.fp5&-format=-dso_xml&-max=all&-Findall I am even able to change the command to this FMPro?-db=database.fp5&-format=-dso_xml&-RecId=34319&-Delete and delete the record. Are there any Filemaker Web Security documents out there? How can I prevent this from happing? Many Thanks In Advance Link to comment Share on other sites More sharing options...
Vaughan Posted December 6, 2001 Share Posted December 6, 2001 The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk -- unless your main strategy is stealth of course! Stealth is never a good strategy by itself. The -delete is only possible because the database either has no password security or you are already logged-in with a password that allows delete privileges. Link to comment Share on other sites More sharing options...
Anatoli Posted December 7, 2001 Share Posted December 7, 2001 RE: The listing of database names and feld names is a known issue -- many db system so this to enable ODBC (and other stuff) to work. Allowing other people to find out file and field names shouldn't be a security risk ---------------- That is not so bad. Bad is, that anyone can display all complete data from every database which is served to web. It is without formatting in "raw" form and all I can say is that FileMaker Inc. did very lousy security job with this non-existent protection. Hopefully our server guy is working on solution for us. He successfully blocked that part, but with his filter running we cannot (yet) post any data to our databases from browsers. Link to comment Share on other sites More sharing options...
Vaughan Posted December 7, 2001 Share Posted December 7, 2001 Anatoli -- How? Doesn't the password stop them? If there is no password for browse/export then it fine. Link to comment Share on other sites More sharing options...
Steven H. Blackwell Posted December 7, 2001 Share Posted December 7, 2001 Metadata about any FileMaker Pro 5 or FileMaker Pro 5.5 file served to the web can be called with an appropriate URL. The delete item is another issue; the file probably should not allow this to occur. This is a password privilege issue. HTH Old Advance Man Link to comment Share on other sites More sharing options...
Anatoli Posted December 7, 2001 Share Posted December 7, 2001 I think you are moderator for this http://www.fmforums.com/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=21&t=000298 Have fun Link to comment Share on other sites More sharing options...
Recommended Posts
This topic is 8199 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now