Security Loophole

[erasmussen]

quote:

---

Originally posted by chazboi:

Yes you are right (as far as I know). The field restrictions should stop individual fields from being viewed.

---

The major problem with the field restrictions is that they are not specific to a layout or CDML format file (it would be so nice if -raw, etc. didn't exist). Therefore, information that you need to show on a restricted basis, such as after you log in, cannot be hidden using the don't show attribute. For that, you need to use relationships that are only valid once certain information has been filled in.

[Anatoli]

Still, could you display something from fields? How you will proceed?

[John May - Point In Space]

And if you do everything in [inline]s passing -clientusername and -clientpassword, the user never even has to get authenticated.

- John

[Arin]

Yes, but access is still restricted by _user permissions_ per DB via Web Security Database.

So it doesn't matter what layout is used (even -Raw) they still need the user/pass to access the data.

The danger is only in a user that holds a valid pass trying to use -Raw to access another users data.

I've heard lasso has better security, and no -raw command, if strong security is an issue, it might be worth switching to.

[Charlie Boisseau]

Hi everyone..

I'm Back! Just a quick one to let you all know that I have put that little program I made up on my website. It's now called D-Base and you can download it from the products section of Duwawa.

Have fun!

-Charlie

[Anatoli]

I like this from http://www.duwawa.com/???

quote:

---

Thanx to all the people from the FM Forums that helped me crack the code! Especially to Anatoli for NOT believing me, and Eric Rasmussen who found a whole load of "undocumented features" in FMP WC 5.5 that will be utilised in the next release. Thanx guys.

---

Did I NOT believe you? Not really. I've just want to get the whole scope of FM security problem and in that line I was just asking questions like "what next?“ "what you can do with that gained knowledge about my databases etc?" and finally we are progressing

[Garry Claridge]

Well done Charlie. I just downloaded "D-BASE" and have been trying it with my databases. It is a great tool for keeping track of your database solutions.

All the best. Shame about school slowing you down!

Thank you.

Garry

[Anatoli]

BTW, chazboi

second post is mine:

OK, what Charlie described is true. Now, what can anyone do harmful armed with all this knowledge?

Not exactly "...Anatoli for NOT believing me..."

[Garry Claridge]

I believe that having database names, layouts, scripts and fieldnames is commercially harmful. This is because a sense of doubt has creept into the quality of security for the site that is being developed for a client.

On some sites it is not feasible to have everybody log-in, hence "All Users" have "Browse" rights. This is when the problems occur with -raw and -fmp_xml. (Using InLine tags, with embedded username and password, may help aleviate this problem.)

BTW Anatoli, do you ever go to bed?

All the best.

Garry

[Anatoli]

I do try sometimes Life is short and I am getting most of it

You are right and we are building solution for that.

[CyberSport]

Good work Charlie! Looks great...I especially like having my related fields listed. Gives me less opportunity for typos or having to always double-check what my relations are named.

[Charlie Boisseau]

Thanks everyone who downloaded D-Base. I have put up a quick update for those of you who's servers froze up when interrogating scripts. Version 1.0.2 is now available at Duwawa. The problem was D-Base wasn't sending a full set of HTTP headers to the server and resulted in the server getting confused! Another bug in FMP!

Charlie

[Krishan]

Hey everyone!

Chazboi... cool photo of you and your Titanium laptop!

quote:

---

Originally posted by John May - Point In Space:

As far as I can tell, Lasso (even with the CDML compatibility module) doesn't allow usage of the -raw action.

---

I could only go as far as:

http://thehost/action.lasso?-dbnames

&-layoutnames]http://thehost/action.lasso?-db=[DATABASE-NAME]&-layoutnames

And I couldn't get the Field and List Values from my lasso server.

Hmmm.... why don't all of you use Lasso if you're worried about a security risk?

I think Anatoli believed you Chazboi! He was just wondering how you would go about using this info to do harm. He was moving onto the next step. This topic is called "Security Loophole".

I don't think Anatoli viewed the availability of his database names, layout names and field names as a security loophole. It depends if the info in the databases, which are shared via the web, is confidential and private. I think Anatoli doesn't have any sensitive info available via the web so in that case, where is the security loophole?

That's my thinking.... but I could be very wrong!!! Yup... haha...

Anybody know any Security loopholes with Lasso?

[ January 09, 2002: Message edited by: Krishan ]

[Anatoli]

BTW, how is Lasso secure with &-format=-raw&-view well known tag? That is major problem in WC!

[Anatoli]

Krishan you are right in your assumptions.

Lasso IS expensive. Lasso doesn't work with 8 bit characters languages like Central Europe.

WC also not, but it is easy modify WC to do that, or translate fields via script to another charset so it is OK on web. BTW, FileMaker fails miserably in this department and I CAN SAY LOUDLY: DOESN'T CARE! OAM that is true! ODBC fails to deliver CE languages without my workaround.

Now we are developing the "Security patch" and it is 50% ready.

FM is for us sort of: pay the full price and finish all the stuff necessary for smooth workflow on your own

Back to Lasso -- it is still single-multi thread application, because it relies on single thread FM.

[ January 09, 2002: Message edited by: Anatoli ]

[Charlie Boisseau]

I only KNOW that it affects FMP 4.1 and above. I haven't tested it on any system previous to 4.1. I do know that the feature was included for use on the Claris Home Page assistants. So I assume that it will be on all versions that came out after Claris Home Page 1.0 was released. I don't think it matters though!

[Keith M. Davie]

Ok, Let's face it. This is perhaps the most significant thread which was started in 2001. Thanks chazboi.

I understand how to force data from any db accessed through WC, so the data is not protected.

However chazboi you wrote, "If they do have access to scripts on the Security Database, they can perform any script as long as they know the name of it, which with this knowlage you can find out easily."

How can they perform any script as long as they know the name of it? I've tried several things and am unable to get those results.

-----------

And for the question of FMPro 4 being accessible in this way, it most certainly is. So I know when I announce my address next week, probably Mon, several of you will be trying to find out what you can there.

One thing I know is that certain db's which are pertinent to my solution are not visible as they are not WC connected.

[Keith M. Davie]

Regarding FMPro 4.0 on the web, chazboi's d-base will show the three FMPro security databases in the list of db's. Interestingly the fields and layouts will not appear.

Similarly, using the force code on these three db's to try to reveal the data I have been unable to show anything but error codes.

Clearly then, FMI has a way of keeping this data private. Makes one wonder why we cannot do the same. But if we know how to do it, we could probably figure out how to undo it, including FMI's solution.

[scratchmalogicalwax]

Hey John.......

I have been trying to look at my lasso databases and layouts and I can't get as far as you did.

The D-Base program does nothing but return 103's in fact the only thing that works is the

http://thehost/action.lasso?-dbnames

through a browser.

Im probably doing something incorrectly but it does seem that lasso is not as vulnerable as WC alone.

[Garry Claridge]

The "Web Security" database may well be using an "Exact Match" restriction on itself. Hence, combined with "Don't Show" for each of the fields, you will not see the data.

Have, many secure accesses.

Garry

[Anatoli]

We are in final development stage of our Security Filter for Windows and FM5 Unlim. It works very fast taking just 1% of power from total FM load.

Last build (131) sustained heavy load from two browsers in JavaScript loop and 3:1 ratio of get/put pages.

The test is on 2 PC connected via 100Mb Ethernet, so it is at maximum WC output per second.

It is filtering all "hacking" syntax we know and displays just simple HTML error page.

[Keith M. Davie]

Garry, thanks. I forgot that I could look there. Duh!

[Charlie Boisseau]

Hey all..

Keith: I started the thread because I was concerned that WC was insecure. Since then I have learned that as long as the correct security measures have been implimented, it doesn't matter that the database information is available over the WC. Hopefully Anatoli's Filtering solution will solve the problem once and for all.

Still the thing that concerns me is that FileMaker don't tell people about this. If I had my way, the WC would have at least some ReadMe file that explained the importance of the WebSecurity DBs.

Their excuse for this is the XML support in FMP 5.5 that is accessable over the WC. If they were sensible about this, they would have the option to allow people to access this info.

scratchmalogicalwax: D-Base only works on WebCompanion so you won't be able to get anything out of a lasso server.

Thanks for your comments. Good luck with your filter Anatoli.

Keep it secure.

Charlie

[Anatoli]

Chazboi

I cannot thank you enough for starting this -- so far -- best thread!

Although we are not storing Credit Cards details, I just hate when everyone equipped just with browser can hack something so easily.

And as I wrote before -- FileMaker Inc. is still suspiciously quiet

[Keith M. Davie]

Anatoli, "...FileMaker Inc. is still suspiciously quiet". Probably based on advice of their legal weasels. Their license probably denies any responsibility on their behalf. All software seems to be sold this way. A disclaimer is cheaper than good workmanship.

[Anatoli]

True!

I am not gonna try to hurt them with lost sales but it will be interesting reading on many sites dedicated to the security issues.

I think, Microsoft is trying harder. At least they do issue security patches quite soon after something is discovered.

[kdd]

Looks like quite a lively subject you have going here!

I

[Steven H. Blackwell]

First, use 5.0v3, not 5.0v2.

Second, do not run FMU on the same machine as FM Server. Give both their own machines.

Third, do not put the database to be shared into the web folder. It doesn't need to be there. If it's open and if it's set to share via the WC, then it will be broadcast just fine.

All that said there are substantial security issues. At best don't put anything into the database that you do not want to be seen.

Also, if you avoid setting the database to multiuser you can reduce the chances of its being accessed in other ways.

Old Advance Man

[Anatoli]

RE: Second, do not run FMU on the same machine as FM Server. Give both their own machines.

That is big issue on Mac OS.

If you have powerful machine with good preemptive multitasking, it is not so problematic. Especially with 2 or more processor hardware.

[Keith M. Davie]

From what I understand, if you use chazboi's D-Base you can get a list of FMPro db files which are being served through WC (doesn't seem to matter where they are placed) at a given site. Once you have that list you can force all the records from any/all of those db files.

Thus it would seem that one would want to keep perhaps only one file connected through WC such that it has no "privileged" data stored in it. That db should be used to access other db's which are in no way connected by WC. Ways to move data to other files seem to be inlineaction and scripts. Scripts require a workaround to avoid data loss and misinformed clients should a near-simultaneous request occur on any script(s). Inlineaction is not possible in FMPro 4.0.

[scratchmalogicalwax]

quote:

---

Originally posted by Anatoli:

RE: Second, do not run FMU on the same machine as FM Server. Give both their own machines.

That is big issue on Mac OS.

If you have powerful machine with good preemptive multitasking, it is not so problematic. Especially with 2 or more processor hardware.

---

Sounds like a dual processor G4 running OSX to me!

128bit processing and now with a decent OS watch out x386

[Anatoli]

quote:

---

Originally posted by scratchmalogicalwax:

Sounds like a dual processor G4 running OSX to me!

128bit processing and now with a decent OS watch out x386

[/QB]

---

If the G4 and MacX are as good as Apple claim, then you need only single G4 500MHz to have the same (fast) sufficient performance like Pentium 1GHz and NT or W2K.

[scratchmalogicalwax]

hmmmm true............in theory ............but I'm waiting to see exactly how WebSTAR V and Lasso V perform especially with regards to security.

Hopefully BlueWorld have had a look at the security loop holes when using Lasso with filemaker WC.

It would be interesting to hear from anyone who has this setup.......

The ability to remove/disable actions or tags such as -Databasenames etc. would be nice.

To be honest i don't think I have ever incorporated any of the "loop hole" tags / actions mentioned here in any of my Lasso / FMPro solutions......

[kdd]

Thanks for all your responses!

A couple of follow up questions:

1) I can update to FMUnlimited 5.0v3 easily enough, but is are there significant security advantages to warrant paying the upgrade to FMU 5.5?

2) The points raised about running FMU on the same machine as FM Server seem to be performance rather than security related, yes?

3) Otherwise it seems that a relatively secure solution would be to have one file with unsensitive data with Web Companion enabled. And then isolating sensitive data on a related, but disabled Web Companion file. And the fields from that file that you want made visible on the accessible file would be, correct?

Keith, I

[Keith M. Davie]

[fmp-inlineaction] is a cdml tag in Pro 5.+ which is not in 4.0. You will find it in your copy of cdml reference.fp5, available online if you don't have it. I don't have the address, but it is elsewhere on this forum, or someone else can give it to you. There are several threads about this tag, mostly on the cdml forum.

As to upgrading to 5.5, I can't tell you the differences. I did note a .pdf at FileMaker which mentions that a few cdml tags which were available in 5.0 have been removed from 5.5 because of some problems (possibily security issues, I don't really recall). Again, that .pdf

has been referenced recently by me on one of these forums. I don't recall the exact address at FileMaker or the name of the .pdf. Perhaps someone else can shed further light on your questions.