Security Update

May 8, 2002

Dear FileMaker Now Readers,

Because the security of our customers' data is a top priority for FileMaker, we are sending you this special security update concerning FileMaker Pro 5.5 and FileMaker Pro 5.5 Unlimited. Please read the following summary and, if you are affected, also read the TechInfo Knowledge Base article by following the link below.

Thanks for reading.

-The FileMaker Now Team

FileMaker Pro 5.5 Database Files Should Be Removed from the Web Companion Web Folder

Problem Summary: FileMaker Pro database files stored in the "Web" folder (or subfolders) can be downloaded by end user browsers using HTTP requests, regardless of the settings in the Remote Administration options of the Web Companion Configuration, including "Requires password".

Who Should Read This Article: Customers publishing databases to the Web with Web Companion in the FileMaker Pro 5.5 and FileMaker Pro 5.5 Unlimited products. Read the entire article.

Affected Products: Web Companion 5.5 v2 and v3, with FileMaker Pro 5.5 or FileMaker Pro 5.5 Unlimited. Does not affect the Web Companion in FileMaker Pro 5.0, 4.1 or 4.0.

Workaround: Temporarily, remove all database files from the "Web" folder (including subfolders); open and serve them from another folder elsewhere on the Web server. This will effectively disable the Remote Administration support for opening databases to be served over the Web. Other Remote Administration operations are not affected.

Read the full article here. http://www.filemaker.com/ti/108034.html

"Does not affect the Web Companion in FileMaker Pro 5.0, 4.1 or 4.0."

That is because there are holes in those versions through which truckloads of data can be driven and for which FMI has no workaround.

Best solutions seem to be Lasso or sql/php.

I like ScriptMaker scripts which can remove data completely from WC accessed files.