Exactly How Secure?

[proton]

Exactly how secure is the Web Companion? Is it extremely susceptible to hack attacks? What if you take all security precautions: for example, having your databases outside of the FM Web folder; using filemaker access privileges, and so on. If you use SSL and block viewing of credit card number fields. Will it be really secure?

Are there a lot of people cracking Web Companion? Any comments would be greatly appreciated. Thanks in advance.

[Keith M. Davie]

How secure is anything which is available via the web?

SIMPLIFY ...

Keith

[proton]

quote:

---

Originally posted by Keith M. Davie:

How secure is anything which is available via the web?

SIMPLIFY ...

Keith

---

Yes that is true, but what I'm saying is, if I'm thinking of running an e-business on a filemaker platform through web companion. They say that web companion isn't really secure, but if I take all the precautions I listed in the first post, I want to know what I will have to look out for in terms of weaknesses and so on. Not specifics, but generally speaking.

[proton]

quote:

---

Originally posted by Keith M. Davie:

How secure is anything which is available via the web?

SIMPLIFY ...

Keith

---

Yes that is true, but what I'm saying is, if I'm thinking of running an e-business on a filemaker platform through web companion. They say that web companion isn't really secure, but if I take all the precautions I listed in the first post, I want to know what I will have to look out for in terms of weaknesses and so on. Not specifics, but generally speaking.

[Anatoli]

Did you hear of someone successfully break in into WebCompanion?

It depends on which doors you will close, shut and lock and what you will leave wide open.

In any case, what could happen in your worst scenario?

For secure transaction you must use WebConnector and some SSL server.

[scratchmalogicalwax]

I would be more worried about your web server software! If you are using IIS make sure you patch regularly, and learn how to admin properly

Have a look at the W3C site and the many "hacking" web sites that are out there (i'd recommend doing the latter with a personal firewall!) You'll get to know what has holes and where they are in your chosen box.

I use Mac, WebSTAR, Lasso and of course FMPro and I still haven't found any cracks hacks or otherwise to worry about and as long as the admin is sound (log access, FTP, Mail etc) it's secure as you're gonna get!

[Anatoli]

Also one point: what is the motivation behind attacks?

Why should someone spend energy to "break in" into my unimportant webshop?

More rewarding are other sites like http://www.fbi.gov, http://www.cia.gov, Microsoft and others...

[scratchmalogicalwax]

Anatoli is right it is unlikely someone will hit your online shop when there are more "high profile" and visable targets out there.

Our system (SMTP server) was hit by spammers, they found a way in through a hole I had inadvertently left open and were using us to relay their spam mail.

It's worth making sure you know where problems can arise to save the egg on face factor if nothing else!

[proton]

Hey guys,

Thanks for the info. It sure makes me feel safer, but I have one question. If it's so safe, then why does the Filemaker site and the documents give so much cautionary notes about using Web Companion?

That's what makes me nervous.

[Keith M. Davie]

The purpose of cautionary notes is so that you will act accordingly once made aware that steps need to be taken.

SIMPLIFY ...

Keith

[Anatoli]

quote:

---

Originally posted by proton:

Hey guys,

Thanks for the info. It sure makes me feel safer, but I have one question. If it's so safe, then why does the Filemaker site and the documents give so much cautionary notes about using Web Companion?

That's what makes me nervous.

---

They are protecting their a**. Their FM web team is behind you guys 10 years

[Krishan]

quote:

---

Originally posted by Proton:

What if you take all security precautions: for example, having your databases outside of the FM Web folder...

---

You don't have to have your databases in your FM Web folder? Can somebody please tell me more about this.....!

Thanks...

[ May 21, 2001: Message edited by: krishan ]

[proton]

quote:

---

Originally posted by krishan:

You don't have to have your databases in your FM Web folder? Can somebody please tell me more about this.....!

Thanks...

[ May 21, 2001: Message edited by: krishan ]

---

No, you don't have to have your database in your web folder..and you absolutely should not have it there. The web folder is susceptible to attack. Once Web Companion Sharing is set up for the database and it is open in Filemaker then it can be accessed by Web Companion.

Also, guys, I think ya'll are a little easy in the sense that ya'll say "Who's going to break into my little unimportant webshop when there's bigger targets out there." But the thing is the webshop isn't important. The credit card and personal data you keep on customers is. Also, yes there are bigger targets out there like Amazon and so on, but bigger targets also have bigger budgets to spend on security, and a hacker looking for an easy score hit more smaller stores than a bigger ones, simply because there are more smaller fish than big fish, and also because the security will be less daunting.

So I think the size of the store is irrelevant. "Prevention is better than cure" as they say...

Oh I almost forgot, here's a link to a document on Filemaker Web Security. Good reading for anyone interested:

http://www.filemaker.com/downloads/pdf/web_security_tips.pdf

Just thought I'd put that in.

[ May 22, 2001: Message edited by: proton ]

[Krishan]

quote:

---

Originally posted by Proton:

The web folder is susceptible to attack.

---

Okay... thanks. Would you be able to tell me exactly "How" it is susceptible to attack? I've got WebCompanion on port 976. Does it make a difference if your port number is 80 or something else? What port numbers are available for use so that they don't create a conflict?

quote:

---

Taken from the web_security_tips.pdf:

Never store databases in the FileMaker Pro 5 Web folder. As any databases in this folder are visible over the web.

---

So... what is the point of the web folder?

I only have three databases which are meant to be accessed via the web. So, if these databases are meant to be accessed is it okay to have them in the web folder? Obviously, I don't want unauthorised people to view the databases.

Thanks!

[proton]

Well Krishan, the web folder is kinda like a web folder containing web pages on a regular webserver. So any knowledgeable person wanting access badly enough, can pretty much get in if they wanted. Changing the port is good, but if they port scan the hosting machine and it doesn't have firewall protection, they can discover which port you are using.

You can use any standard port number to host. If you are also hosting a regular webserver on the same system, then port 80 would be out, and port 21 if you're hosting a regular FTP server and so on. Filemaker actually has a port reserved for them. I forget the number of the port, but you can use any port once it's free.

The point of the web folder is to contain the web pages that you use to interact with the databases. You can store the databases outside of the web folder, but the web pages (CDML or whatever), and any web graphics HAVE to be in the web folder or a sub folder in the web folder. Hope this helps.

Oh, one more thing Krishan. No matter who you want to access your databases, do not store them in the web folder. Once you set up sharing with web companion and filemaker is open and the databases are open, your users can access them through the web pages. If your databases are in your web folder, an unauthorised person can get in the folder and download your databases to their machine, or delete them, or any number of unsavoury things.

[ May 22, 2001: Message edited by: proton ]

[ May 22, 2001: Message edited by: proton ]

[Krishan]

Thanks Proton.

I'll keep the web pages in the FM Web folder but I'll move the databases.

[Anatoli]

That article completely ignores all possible steps in HTML to make the system better and safer by design.

The end part is quite valid though: SSL, WebConnector, databases behind firewall etc.

[Krishan]

Anatoli once told me to use:

1) Chromeless windows

2) Forced Frames

3) Disable Right Click

....which was great advice.

I also use the no cache meta tag.

[ May 22, 2001: Message edited by: Krishan ]

[scratchmalogicalwax]

You can always start using Inline actions.

It can hide a lot or all of the database and field info from the user.

[Anatoli]

quote:

---

Originally posted by Krishan:

Anatoli once told me to use:

1) Chromeless windows

2) Forced Frames

3) Disable Right Click

....which was great advice.

I also use the no cache meta tag.

[ May 22, 2001: Message edited by: Krishan ]

---

Thank you Krishan.

1) Chromeless windows -- user cannot fiddle with URL line

2) Forced Frames -- Even when user is clever and will copy URL and change that to something and paste that to blank window, he/she will not see the result, because the page he/she is calling will call proper Frameset.

3) Disable Right Click -- for PC users again another restriction. This depends on JavaScript as do the other bits, but he/she cannot go to the page with JS off. That will throw them again to the start Frameset.

Then we have Inlines and other techniques....

[scratchmalogicalwax]

NB I'm using your forced frames aswell anatoli, ta

[Krishan]

quote:

---

Originally posted by scratchmalogicalwax:

You can always start using Inline actions.

It can hide a lot or all of the database and field info from the user.

---

What is "Inline"? ....I also read on another topic that it could be used for logs.

Thanks.

[ May 22, 2001: Message edited by: Krishan ]

[Anatoli]

InLine is just instructing server to do something useful and user will see just the result.

If you instruct the server on HTML page it is always via link or form.

From CDML Reference:

What it does

[FMP-InlineAction] allows the processing of multiple CDML requests during the processing of a single format file. The [FMP-InlineAction] tag takes as its parameters the URL-like format of the name value pairs for a CDML request. All further processing of the format file then continues as if the inline request started the processing.

When the [/FMP-InlineAction] is processed the request that was in effect previously is restored. Any -Format tags are ignored in the request. [FMP-CurrentError] contains the error result number of the last [FMP-InlineAction]. Any FMP-ContentMIMEType or FMP-Header tags inside any [FMP-InlineAction] tags are processed as if they were not inside any [FMP-InlineAction] tags.

<!-- Log page hits in another database -->

[FMP-InlineAction: -db=log.fp5, -lay=web, time="{CurrentTime}", date="{CurrentDate}",

page="This page!", browser="{ClientType}", ip="{ClientIP}", -new]

[/FMP-InlineAction]

[proton]

Wow! This HTML thing is important stuff. I'm already using Frames, but not forced frames. I don't know this Chromeless Windows thing. Can ya'll go into more detail about that?

This is turning out to be very informative. I put some things in place with regards to HTML, but not as much as ya'll have stated here. My thought was I was trying to avoid using java/javascript on my webpages, in case the user has it turned off. Hmm...but if I'm considering security...hmm..will have to look at this seriously. Thanks Anatoli.

One thing I do..just to mention here..I didn't use the Web Security Database. I created my own login system with a login database. When the user comes in they are presented with a login page where they enter they username and password. This creates a new record in the login database which is related to the member database, which compares the username and password and then if they match, it logs them in to the database, otherwise it takes them to an error page with a link back to the login page.

Also, it creates a cookie on their system containing a unique, fairly complex I.D. and it also pastes this same value in their record in the member database, and deletes the login record they created in the login database.

The login database therefore contains no records mostly. It temporarily has a record to facilitate validation and initiate login, then it deletes the record.

The I.D. is used to track the session. If the user bookmarks the webpage, and closes the session, if they re-open the browser and try to load the bookmarked page, it will compare the cookie (which is set to expire when they close the session) with the cookie in their member record, which obviously won't match, so it knows they didn't log in, and takes them back to the login page.

This cookie is also essential to edit member data/profile, so the value in the cookie and the value in the member database have to match, and this can only be done by going through the login web pages.

That's one of my solutions.

[Krishan]

Hi.

Well, I'm not sure if I'm doing this properly but I hope Anatoli will tell me if I'm wrong!

For chromeless, I just paste the following code in between the <head> tags of the index page:

code:

---

<script language="Javascript">

<!--//

function popup(){

window.open("frameset.html","myWin","width=1000,height=700,resizable=no,scrollbars=no,menubar=no,status=no,directories=no");

}

//-->

</script>

---

...and then in the <body> of the html I write:

code:

---

<a href="javascript

opup()">ENTER</a>

---

(for some reason I'm getting a in the above code in place of the ":" and "p")

For Forced Frames, I put the following code in between the <head> tags, on every single web page:

code:

---

<script langugage="JavaScript">

if (top == self) self.location.href = "noaccess.html";

</script>

---

I think Anatoli redirects the user back to the original frameset... but I've decided to redirect them to a "No Access" page.

For no right click, I'm planning on using the following code:

code:

---

<script language="JavaScript">

var msg="mouse right click disabled.nn(or any message you want)";

function click(e) {

if (document.all) {

if (event.button == 2) {

alert(msg);

return false;

}

}

if (document.layers) {

if (e.which == 3) {

alert(msg);

return false;

}

}

}

if (document.layers) {

document.captureEvents(Event.MOUSEDOWN);

}

document.onmousedown=click;

</script>

---

And for no cache, I just place the following code in between the <head> tags:

code:

---

<META HTTP-EQUIV="expires" CONTENT="0">

<META HTTP-EQUIV="Pragma" CONTENT="no-cache">

---

So, am I doing this right? It would be great to get some feedback!

Proton, your user login system sounds very good! I don't know much about cookies but I'll have to learn more.....

However, I don't use cookies because I don't like the idea of storing any data about a web page on a computer (which someone else might see/use)....

I use a simple login system where the Users.fp5 database has the field "Signed", which can either have the value "In" or "Out". That value is "Out" by default. After the user has entered his username and password and they both match on the Users.fp5 database, he is then taken to another web page to continue signing in. The link to continue signing in basically edits the "Signed" field to "In". And on each web page I use a [FMP-If] tag. If the field equals "In" then it shows the usual html. If the field equals "Out" then it shows the re-login html. And when the user signs "Out" he just re-edits the field.

I hope to finalise my applescripts which will automatically make that field to equal "Out" four hours after a user has signed "In". I plan on using this as a way of timing out users and ensuring that all Users are logged out even if they do not click the "sign out" button.

I think the FM Web Security is useful because it allows you to give specific privileges to individual or all users on both a database and field level. So you can specify that all users are not allowed to -edit a specific field. So even if they manage to create their own format web pages, it limits the damage they can do. I think by default, FM Pro just allows all the fields to be edited, searched, etc. but if you use Web Security then you can deny actions to specific fields. I don't know that much though because I haven't started to use this yet.... but I intend to...

Well, I hope people will point out my mistakes!

[ May 22, 2001: Message edited by: Krishan ]

[Krishan]

Anatoli....

Thanks for the info about Inline actions. I had read the CDML reference before but it didn't make sense.

The logging system sounds really good... I'll have to create that.

So does the Inline action work like this?........

[FMP-InlineAction: -db=log.fp5, -lay=web, time="{CurrentTime}", date="{CurrentDate}",

page="This page!", browser="{ClientType}", ip="{ClientIP}", -new]

".........ALL OF MY LINKS........."

[/FMP-InlineAction]

I tried this and it doesn't seem to work.... I'm a bit lost, can someone help?

[ May 23, 2001: Message edited by: Krishan ]

[proton]

quote:

---

Originally posted by Anatoli:

That article completely ignores all possible steps in HTML to make the system better and safer by design.

The end part is quite valid though: SSL, WebConnector, databases behind firewall etc.

---

Anatoli: What do you mean about possible steps in HTML to make the system better and safer by design? Can you give me some info on that? Thanks.

[Anatoli]

RE: So does the Inline action work like this?........

[FMP-InlineAction: -db=log.fp5, -lay=web, time="{CurrentTime}", date="{CurrentDate}",

page="This page!", browser="{ClientType}", ip="{ClientIP}", -new]

".........ALL OF MY LINKS........."

[/FMP-InlineAction]

-----------------------------

It will be just:

[FMP-InlineAction: -db=log.fp5, -lay=web, time="{CurrentTime}", date="{CurrentDate}",

page="This page!", browser="{ClientType}", ip="{ClientIP}", -new]

[/FMP-InlineAction]

THEN

".........ALL OF MY LINKS........." the whole page here.

You can thing of InLine like BTW stuff. You are using your old page as it was, and as first line you insert the Inline LOG -- BTW (By the way, write log about access to this page) and then continue standard page as it was.

I will try to write small manual about passive Security. Everyone can use it for free.

I am just asking, about small help with my English. My English passport did not come with English Language Brain Module

It will be posted probably tomorrow.

[Krishan]

Hey, thanks a lot Anatoli. I'll try out the InlineAction now.... hopefully it'll work!

quote:

---

Originally posted by Anatoli:

I will try to write small manual about passive Security. Everyone can use it for free.

I am just asking, about small help with my English.

---

I'm willing to help.... I just hope my English is good enough.

[yafreax]

well, your head tag shouldn't be after your body tag as it is, and that's one thing you just described.

Jeremy

[Anatoli]

HTML

HEAD

/HEAD

BODY

[FMP-InlineAction: -db=prtzlog.fp5, cust={CurrentToken: 3}, TZnSz=SEA, -New] [/FMP-InlineAction]

/BODY

HEAD

That is my working version

[Krishan]

I said that I had "tried placing it before the <Head> tag and straight after the <Body> tag."

I actually meant that I had tested the InlineAction twice, on each occasion placing the tag in two different places.

First I placed the InlineAction before the <Head> tag at the top of the page.

Then I tried using the InlineAction just like how Anatoli described above; straight after the <Body> tag.

I never had my <Head> tag after my <Body> tag, lol.... I guess my English really is that bad!

[Krishan]

I'm really lost now. I'd be really grateful for some more help.

I have created a log.fp5 database with a layout called "web" and it has the fields "time", "date", "page", "browser" and "ip". It is shared via Web Companion. I have added the InlineAction code under my <body> tag just like below:

code:

---

<body bgcolor="#FFFFFF" text="#000000">

[FMP-InlineAction: -db=log.fp5, -lay=web, time="{CurrentTime}", date="{CurrentDate}",

page="This page!", browser="{ClientType}", ip="{ClientIP}", -new]

[/FMP-InlineAction]

..... and then the rest of my web page.....

---

But it still doesn't work. Records aren't being created in my log.fp5 database when I use my links.

Can somebody please help me?

[proton]

quote:

---

Originally posted by Anatoli:

I will try to write small manual about passive Security. Everyone can use it for free.

I am just asking, about small help with my English. My English passport did not come with English Language Brain Module

It will be posted probably tomorrow.

---

Anatoli,

I'll be looking forward to seeing that manual. That would be great. If you need help with the english, no problem.

I got the English Language Brain Module, but not the English passport..hahahah..just kidding...

[Krishan]

I just tried using the InlineAction again and it doesn't seem to work.

Where exactly do I place the following code?

code:

---

[FMP-InlineAction: -db=log.fp5, -lay=cgi, time="{CurrentTime}", date="{CurrentDate}",

page="userhome.html", browser="{ClientType}", ip="{ClientIP}", -new]

[/FMP-InlineAction]

---

I've tried placing it before the <Head> tag and straight after the <Body> tag. But nothing seems to work; a new record is not created in my log.fp5 database.

Does anybody have an idea what my problem could be? Thanks.