FileMaker Pro 5 Web Security Alert
TweetFollow Us on Twitter

FileMaker Pro 5 Web Security Alert

Blue World Announces FileMaker Pro 5 Web Security Alert

May 1, 2000

Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today
announced to customers, partners, vendors, Internet security regulators,
and the wider FileMaker Pro Web community that it has discovered at least
three serious security holes in the Web Companion provided in the FileMaker
Pro 5 product line. The security holes are a result of new XML and email
capabilities introduced in the FileMaker Pro 5 product line. The first
security hole permits anyone on the Internet to view all data contained in
any FileMaker Pro 5 Web Companion configured database made accessible on
the Internet, regardless of Web Database Security preferences set to deny
such access. The second security hole permits anyone on the Internet to use
the Web Companion's email capabilities to send email with data contained in
any FileMaker Pro 5 Web Companion enabled database, regardless of Web
Database Security preferences set to deny such access. The third security
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to
send anonymous or impersonated email.

The problems affect all organizations with Web sites that utilize FileMaker
Pro 5 Web Companion. The email problems can affect any organization that
hosts a mail server. FileMaker, Inc. has been notified.

Security Holes

The precise details of how to exploit these holes is minimized to prevent
compromising the integrity of all current Internet-accessible FileMaker Pro
5 databases and mail servers. However, details can be easily deduced by
referencing the FileMaker Pro 5 documentation and by consulting the
FileMaker XML Technology Overview white paper available via the FileMaker
XML Central Web site.

1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web
accessible database regardless of Web Database Security preferences set to
deny such access.

With FileMaker Pro 5 it is possible to return data in XML format based upon
a request submitted by anyone on the Internet. The XML publishing
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing capabilities bypass
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on
the Web to view any data within a FileMaker Pro 5 database.

The hole allows anyone to view sensitive data contained within FileMaker
Pro 5 databases such as credit card numbers, passwords, employee records,
and trade secrets that are not intended for public access.

2. Anyone on the Internet can use the Web Companion's email capabilities to
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set to deny such
access.

FileMaker Pro 5 Web Companion new email capabilities include the ability to
specify that any field in a database be used as the format for the body of
the email message. This new functionality can be accessed through a request
submitted by anyone on the Internet. The new email capabilities can be used
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing
anyone on the Web to send the contents of any database field via email to
themselves or a third party.

The hole makes it possible to access and rapidly distribute across the
Internet sensitive information stored in FileMaker Pro 5 databases not
intended for viewing by the general public.

3. Anyone on the Internet can use Web Companion's email capabilities to
send anonymous or impersonated email thereby compromising the integrity of
any targeted mail server.

The hole allows anyone to anonymously flood email accounts and mask or
impersonate the true identity and source of the originating message making
it virtually impossible to trace the origin of malicious activity.

For example, anyone on the Web could access any organization's FileMaker
Pro 5 powered Web site and submit a query that contains commands which
instruct the Web Companion to send an email from the president of the
organization instructing all employees not to show up to work. As the email
would originate from the organization's own servers, it would be virtually
impossible to trace the true location of the perpetrator.

Solutions

There are four potential solutions to close the security holes. The first
three require disabling portions of FileMaker Pro's built-in Web Companion
or downgrading to a previous and safer version of FileMaker Pro. The final
solution entails using a third party product, such as Lasso Web Data
Engine, to protect FileMaker Pro 5 databases on the Web.

A. Disable the FileMaker Pro Web Companion. This disables the automatic XML
Publishing and email capabilities of FileMaker Pro 5.

B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web
Companion do not contain these security flaws.

C. Use FileMaker Pro access privileges rather than the Web Security
Database. (Note: This only addresses the first two security issues reported
here.) While FileMaker Pro access privileges seemingly offer a solution to
this problem, they do not provide certain important additional features
otherwise provided in the Web Security Database. As such, it is not a
viable option for Web developers who require specific Web-related security
features.

D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web
Companion. Configure FileMaker Pro Web Companion to limit access to the IP
address of the machine on which Lasso is installed. You can then safely use
Lasso security to protect your FileMaker Pro 5 databases.

Blue World Policy on Security Alerts

Blue World notifies customers, partners, and vendors as quickly as possible
regarding any problems pertaining to the secure use of Blue World products
either as they exist unto themselves or when used in combination with other
products. Blue World strives to deliver appropriate information so the
seriousness of any security related problem is clearly understood and
widely known in an effort to best serve all those potentially affected by
security issues. As appropriate, Blue World will limit the amount of
detailed information revealed so as to not potentially compromise the
integrity of currently deployed and publicly accessible solutions based
upon any vendors' products, including those vendors' products which
directly compromise the security of any solution built using Blue World
products.

Additional Information

Additional information is not available from Blue World. FileMaker, Inc.
can be contacted via contacts listed on the FileMaker, Inc. Web site at
http://www.filemaker.com. Interested parties who wish to discover how the
FileMaker Pro community reacts to this issue are cordially invited to join
the Blue World FileMaker Pro Talk email discussion forum, details provided
at http://www.blueworld.com/blueworld/lists/filemaker.html. An archive
containing all posts to FileMaker Pro Talk may be found at
http://listsearch.blueworld.com/fmprotalksearch.lasso.

About Blue World

Blue World Communications, Inc. (http://www.blueworld.com) delivers
cross-platform software tools allowing Web developers and designers to
quickly build and deploy powerful data-driven Web applications. Blue World
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World
Store and Blue World ListSearch service in fulfillment of its mission to
bring business to the Internet.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

WhatsApp 0.2.5862 - Desktop client for W...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
Things 3.1.3 - Elegant personal task man...
Things is a task management solution that helps to organize your tasks in an elegant and intuitive way. Things combines powerful features with simplicity through the use of tags and its intelligent... Read more
BetterTouchTool 2.292 - Customize Multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Things 3.1.3 - Elegant personal task man...
Things is a task management solution that helps to organize your tasks in an elegant and intuitive way. Things combines powerful features with simplicity through the use of tags and its intelligent... Read more
BetterTouchTool 2.292 - Customize Multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom... Read more
Bookends 12.8.3 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Bookends uses the cloud to sync reference libraries on all the Macs you use.... Read more
Mellel 3.5.5 - The word processor for sc...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
Mellel 3.5.5 - The word processor for sc...
Mellel is the leading word processor for OS X and has been widely considered the industry standard since its inception. Mellel focuses on writers and scholars for technical writing and multilingual... Read more
Bookends 12.8.3 - Reference management a...
Bookends is a full-featured bibliography/reference and information-management system for students and professionals. Bookends uses the cloud to sync reference libraries on all the Macs you use.... Read more
Carbon Copy Cloner 4.1.18 - Easy-to-use...
Carbon Copy Cloner backups are better than ordinary backups. Suppose the unthinkable happens while you're under deadline to finish a project: your Mac is unresponsive and all you hear is an ominous,... Read more

4 RPGs like Final Fantasy XV that deserv...
Square Enix announced another Final Fantasy XV spin-off today - Final Fantasy XV Pocket Edition. This mobile, episodic version of the hit RPG gives the game a chibi-fied makeover. The first episode will be free, followed by 9 more premium episodes... | Read more »
Guild sieges and soul gems in latest upd...
Webzen’s MU Origin hit app stores last year, giving fans of fantasy hack-n-slash MMOs like Diablo a new fix to fixate on. This latest update introduces a competitive guild battle, a fresh dungeon challenge, a mini-game and some elemental gems to... | Read more »
Little Red Lie (Games)
Little Red Lie 1.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0 (iTunes) Description: ARE YOU MORE AFRAID OF POVERTY THAN DEATH? Little Red Lie is a narrative-focused, interactive fiction experience that reduces... | Read more »
You can now apply to be Clash of Clans...
Earlier this month, word got out that the Builder, the trusty handiman who tirelessly built every single building inevery singleClash of Clansbase had called it quits. Sick of seeing his work destroyed endless, the Builder has set out for our world... | Read more »
Meshi Quest beginner's guide - how...
Meshi Quest is Square Enix's newest free-to-play release, and it's a real charmer. You start off as the head of a sushi restaurant, upgrading your food and equipment as you serve visitors heaping helpings of your delicious meals. As you progress,... | Read more »
BUST-A-MOVE JOURNEY (Games)
BUST-A-MOVE JOURNEY 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: BUST-A-MOVE Features:- Shoot bubbles and match 3 or more bubbles of the same color to make them pop!- Complete your... | Read more »
The best card combos in Clash Royale
Clash Royale is all about building a deck of units that synergise well. To help you get off to a flying start, we've put together a list of unit combinations that are incredibly effective. Looking for some choice 2v2 combos? Check out our guide. [... | Read more »
The best 2v2 card combos in Clash Royale
2v2 is making it's grand return toClash Royalequite soon. 2v2 has quickly become one of the game's most popular gameplay modes, though they still have yet to make it a permanent fixture in the game. 2v2 is exciting and adds some new flavor to... | Read more »
The best games we played this week - Aug...
Another busy week has come to a close. We played a lot of excellent games this week and now it's time to look back and reflect on some our favorites. Here are our picks for the week of August 18. [Read more] | Read more »
War Wings beginner's guide - how to...
War Wings is the newest project from well-established game maker Miniclip. It's a World War II aerial dogfighting game with loads of different airplane models to unlock and battle. The game offers plenty of single player and multiplayer action. We... | Read more »

Price Scanner via MacPrices.net

Sale! 13-inch 2.3GHz MacBook Pros for $100 of...
B&H Photo has 13″ 2.3GHz MacBook Pros in stock today and on sale for $100 off MSRP including free shipping plus NY & NJ sales tax only: – 13-inch 2.3GHz/128GB Space Gray MacBook Pro (MPXQ2LL... Read more
2016 MacBook Pros, Apple refurbished, availab...
Apple has Certified Refurbished 2016 15″ and 13″ MacBook Pros available starting at $1189. An Apple one-year warranty is included with each model, and shipping is free: – 15″ 2.7GHz Touch Bar Space... Read more
Apple offers Certified Refurbished iPhone 6s...
Apple has Certified Refurbished unlocked iPhone 6s’s and 6s Plus’s available starting at $449. An Apple one-year warranty is included with each phone, and shipping is free: – 16GB iPhone 6s: $449, $... Read more
Apple offers Certified Refurbished Pencils fo...
Apple has Certified Refurbished Apple Pencils available for $85 including free shipping. Their price is $14 off MSRP, and it’s the lowest price available for a Pencil. Read more
2016 15-inch 2.6GHz Touch Bar MacBook Pro ava...
B&H Photo has clearance 2016 15″ 2.6GHz MacBook Pros in stock today and on sale for $500 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 15″ 2.6GHz Touch... Read more
21-inch 2.3GHz iMac on sale for $999, save $1...
Amazon has the new 2017 21″ 2.3GHz iMac (MMQA2LL/A) in stock and on sale for $999.99 including free shipping. Their price is $100 off MSRP, and it’s the lowest price available for this model. Read more
Free Instant Translator 2.0 App For iOS Relea...
Mobile application development company, Neoappz has announced the release and immediate availability of Instant Translator 2.0 for iOS devices. Instant Translator is a user-friendly application which... Read more
2017 15-inch MacBook Pros on sale for $200 of...
Amazon has 2017 15″ MacBook Pros on sale for $200 off MSRP. Shipping is free: – 15″ 2.8GHz MacBook Pro Space Gray: $2199.99, $200 off MSRP – 15″ 2.8GHz MacBook Pro Silver: $2296, $103 off MSRP – 15″... Read more
Apple’s 2017 Back to School Promotion: Free B...
Purchase a new Mac using Apple’s Education discount, and take up to $300 off MSRP. All teachers, students, and staff of any educational institution qualify for the discount. Shipping is free. As part... Read more
Clearance 2016 12-inch Retina MacBooks, Apple...
Apple has Certified Refurbished 2016 12″ Retina MacBooks available starting at $1019. Apple will include a standard one-year warranty with each MacBook, and shipping is free. The following... Read more

Jobs Board

Development Operations and Site Reliability E...
Development Operations and Site Reliability Engineer, Apple Payment Gateway Job Number: 57572631 Santa Clara Valley, California, United States Posted: Jul. 27, 2017 Read more
Frameworks Engineering Manager, *Apple* Wat...
Frameworks Engineering Manager, Apple Watch Job Number: 41632321 Santa Clara Valley, California, United States Posted: Jun. 15, 2017 Weekly Hours: 40.00 Job Summary Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
Development Operations and Site Reliability E...
Development Operations and Site Reliability Engineer, Apple Payment Gateway Job Number: 57572631 Santa Clara Valley, California, United States Posted: Jul. 27, 2017 Read more
Frameworks Engineering Manager, *Apple* Wat...
Frameworks Engineering Manager, Apple Watch Job Number: 41632321 Santa Clara Valley, California, United States Posted: Jun. 15, 2017 Weekly Hours: 40.00 Job Summary Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.