Custom Login Screen [Untested-7+]

[Genx]

Solution / : Custom Login Screen

Description: FileMaker custom login screens -- I'm looking for someone to try and hack this, crack this, break this, get through this, using whatever tools or methods they might have in FM or developer or anything else they seek fit to rely on.

I made this a while ago and i've forgotten the password soooo... But if no-one manages to crack it within two weeks, i'll recreate the file and post it in this thread as a sample.

[color:red]EDIT 3: DEVELOPMENT ON THIS FILE WILL NOT CONTINUE DUE TO VARIOUS METHODS DISCOVERED AROUND FM'S PRIVILEGE SETS

Working Under:

Solution Status: Untested

Pre-requisites:

Author(s): Genx

Date: 02/09/07

Credits:

Instructions / Other Info:

Disclaimer:

FM Forums does not endorse or warrantee these files are fit for any particular purpose. Do not post or distribute files without written approval from the copyright owner. All files are deemed public domain unless otherwise indictated. Please backup every file that you intend to modify.

customLogin_v2.zip

[Genx]

Forgot to mention, this is a Backend Frontend split.

[SteveB]

Here you go:

Steve

Edited February 10, 2007 by Guest

[philou54]

How did you do it man?

I'd like to know how you hacked because I'd like to use a custom login screen but... it seems to be unsecure.

Thanks

[SteveB]

I am definately not a hacker, and I don't want to make this widely known. It took less than 2 minutes.

I think Comment pointed out that unless you remove the abilty to modify the file (using the Developer Tools in 8-8.5 or similar in earlier versions), it is too easy to crack.

Steve

[philou54]

Is the original login screen of filemaker more secure than a custom one?

[Genx]

So much for that.. I'll be back.

And the answer is not certain at this point.

Edited February 10, 2007 by Guest

[Genx]

I invite other people to continue trying to get in -- I now know of only one method to do it. You're going to have to get very creative.

[librone]

It's too easy, Genx

administrator

administrator

[Genx]

I just tried that and it doesn't work. If your right and it does work (which it probably does):

A) That's a real password and i set it to something simple so i wouldn't forget (but i did forget ... god i'm dumb)

That's a privelege password -- It'll get you into the front end but that's it. You have no access to the backend

[librone]

sorry, Genx, I don't speak English.

[Genx]

What user name and password did you use though?

Because the only account with the same user and password in backend and front end was the administrator account.

... and i tried administrator administrator and i can't get it to work

Edited February 13, 2007 by Guest

[librone]

Hi, Genx

You can use all account and password, but I can't tell you how I Did it.

I suggest you don't use in future a custom login screen.

[Genx]

Keep breaking please and if you do manage to break in, please Private Topic me and let me know how you did it and I'll try and stop it.

[comment]

I don't think playing this game is helping anyone to understand the issues here.

[Genx]

That depends entirely on what "game" you think i'm playing comment.

Please read the PT i sent you before you reply to this

[librone]

Hi Genx, I want help you.

for bypass your custom login screen I executed hidden script "unlock status

area"

et voilà.

Now, in your example, you can remove script "unlock status area" but in a large

solution there are many hidden scripts and I can execute one of this for bypass your

custom login screen.

I suggest you don't use custom login screen.

Bye

Ann

[Genx]

Thanks Ann!

In a larger solution, and in this one for that matter, that script shouldn't have been available for welcome users. Looks like i just forgot...

Thanks again.

[librone]

Hi Genx

for "welcome" No but for other account Yes.

In a large solution also a GTRR script is sufficient for bypass your custom login screen and GTRR script is always available for "welcome"

Bye

Ann

[Genx]

True, but define scripts isn't... Also if layout access is disabled, well that options blocked too. I'll post another file tommorow some time to show what i mean.

[Genx]

A revised file is now available -- See original post for new file

Edited February 16, 2007 by Guest

[librone]

Hi Genx,

another congratulation is now available.

Please don't use custom login screen.

I am not a hacker but I always can bypass it.

Australia 0 vs 2 France

Do you want do another round?

Ann :

[Genx]

Hmmmm... Care to share this time?

The reason being.. My main concern here is that that layout is not accessible to the welcome account at all -- i.e. it's blocked. So even if you had bypassed the script and managed to get to it, you shouldn't have been able to view the layout -- Whether you were using a custom login screen or not.

Can you please PT me a screenshot of the bottom portion of the layout?

Edited February 16, 2007 by Guest

[librone]

OK Genx I want help you another time.

Ann

[Genx]

Thanks Ann.

So you actually logged in? Those calcs are pulling the real privilege sets... I'm at a real loss as to how you did that... Like i said, administrator accounts force you to login twice, using only FileMaker login.T

Edited February 16, 2007 by Guest

[librone]

Hi Genx,

If you want that your custom login screen work, you must leave only "welcome" account.

but if you leave only "welcome" account your large solution don't work. :

sorry for English

Ann - France

[Genx]

Well last time you got in by unlocking the side bar... what did you do this time?

[LaRetta]

Genx, what do you hope to accomplish that FileMaker's own Privileges won't give you? You are attempting to reinvent the wheel that FileMaker Engineers have already invented (very well, I might add). It may not be totally uncrackable (nothing is) but, if THEY can't make it uncrackable, what makes you think YOU can?

I'm at a loss to understand ...

LaRetta :wink2:

[librone]

Well last time you got in by unlocking the side bar... what did you do this time?

relogin

Ann

[librone]

.... My question is now how FileMaker's privlege restrictions are being bypassed.

I can bypass your "default open script" and i can bypass your "default open account"

Ann

[Genx]

... and do what? That just means you have to login using FileMaker Relogin anyway... Which is exactly what you'd have to do even if there was no custom login screen.

Edited February 17, 2007 by Guest

[xoomaster]

While I can understand that some of this is fun, and some of it is frustration : , but there is a lot to learn from this

After trying for an hour now I can get into this file also, and I am no hacker also !

I have to say though that there is a need, other than what FMP staff has given us to use this kind of technique.

I have used this kind of approach for locking the screen when unattended. It would be a sucide to show it here though )

Xoomaster

[xoomaster]

All I can say now that there is too much on display even in a DB with the best login methods. I do not want to give anymore away, but what the hick is this about :

I hope version 9 fix this problem !

Xoomaster

[Genx]

Oh well. I guess I quit, Sorry for wasting everyone's time and looks like I'll just have to be happy with a splash screen... And at least now I know I can't trust FileMaker privileges for anything.

[librone]

...... And at least now I know I can't trust FileMaker privileges for anything.

well Genx,

I have written that in my first one post :

I am sorry for my English.

Ann