FileMaker Pro 5 Web Security Alert
TweetFollow Us on Twitter

FileMaker Pro 5 Web Security Alert

Blue World Announces FileMaker Pro 5 Web Security Alert

May 1, 2000

Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today
announced to customers, partners, vendors, Internet security regulators,
and the wider FileMaker Pro Web community that it has discovered at least
three serious security holes in the Web Companion provided in the FileMaker
Pro 5 product line. The security holes are a result of new XML and email
capabilities introduced in the FileMaker Pro 5 product line. The first
security hole permits anyone on the Internet to view all data contained in
any FileMaker Pro 5 Web Companion configured database made accessible on
the Internet, regardless of Web Database Security preferences set to deny
such access. The second security hole permits anyone on the Internet to use
the Web Companion's email capabilities to send email with data contained in
any FileMaker Pro 5 Web Companion enabled database, regardless of Web
Database Security preferences set to deny such access. The third security
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to
send anonymous or impersonated email.

The problems affect all organizations with Web sites that utilize FileMaker
Pro 5 Web Companion. The email problems can affect any organization that
hosts a mail server. FileMaker, Inc. has been notified.

Security Holes

The precise details of how to exploit these holes is minimized to prevent
compromising the integrity of all current Internet-accessible FileMaker Pro
5 databases and mail servers. However, details can be easily deduced by
referencing the FileMaker Pro 5 documentation and by consulting the
FileMaker XML Technology Overview white paper available via the FileMaker
XML Central Web site.

1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web
accessible database regardless of Web Database Security preferences set to
deny such access.

With FileMaker Pro 5 it is possible to return data in XML format based upon
a request submitted by anyone on the Internet. The XML publishing
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing capabilities bypass
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on
the Web to view any data within a FileMaker Pro 5 database.

The hole allows anyone to view sensitive data contained within FileMaker
Pro 5 databases such as credit card numbers, passwords, employee records,
and trade secrets that are not intended for public access.

2. Anyone on the Internet can use the Web Companion's email capabilities to
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set to deny such
access.

FileMaker Pro 5 Web Companion new email capabilities include the ability to
specify that any field in a database be used as the format for the body of
the email message. This new functionality can be accessed through a request
submitted by anyone on the Internet. The new email capabilities can be used
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing
anyone on the Web to send the contents of any database field via email to
themselves or a third party.

The hole makes it possible to access and rapidly distribute across the
Internet sensitive information stored in FileMaker Pro 5 databases not
intended for viewing by the general public.

3. Anyone on the Internet can use Web Companion's email capabilities to
send anonymous or impersonated email thereby compromising the integrity of
any targeted mail server.

The hole allows anyone to anonymously flood email accounts and mask or
impersonate the true identity and source of the originating message making
it virtually impossible to trace the origin of malicious activity.

For example, anyone on the Web could access any organization's FileMaker
Pro 5 powered Web site and submit a query that contains commands which
instruct the Web Companion to send an email from the president of the
organization instructing all employees not to show up to work. As the email
would originate from the organization's own servers, it would be virtually
impossible to trace the true location of the perpetrator.

Solutions

There are four potential solutions to close the security holes. The first
three require disabling portions of FileMaker Pro's built-in Web Companion
or downgrading to a previous and safer version of FileMaker Pro. The final
solution entails using a third party product, such as Lasso Web Data
Engine, to protect FileMaker Pro 5 databases on the Web.

A. Disable the FileMaker Pro Web Companion. This disables the automatic XML
Publishing and email capabilities of FileMaker Pro 5.

B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web
Companion do not contain these security flaws.

C. Use FileMaker Pro access privileges rather than the Web Security
Database. (Note: This only addresses the first two security issues reported
here.) While FileMaker Pro access privileges seemingly offer a solution to
this problem, they do not provide certain important additional features
otherwise provided in the Web Security Database. As such, it is not a
viable option for Web developers who require specific Web-related security
features.

D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web
Companion. Configure FileMaker Pro Web Companion to limit access to the IP
address of the machine on which Lasso is installed. You can then safely use
Lasso security to protect your FileMaker Pro 5 databases.

Blue World Policy on Security Alerts

Blue World notifies customers, partners, and vendors as quickly as possible
regarding any problems pertaining to the secure use of Blue World products
either as they exist unto themselves or when used in combination with other
products. Blue World strives to deliver appropriate information so the
seriousness of any security related problem is clearly understood and
widely known in an effort to best serve all those potentially affected by
security issues. As appropriate, Blue World will limit the amount of
detailed information revealed so as to not potentially compromise the
integrity of currently deployed and publicly accessible solutions based
upon any vendors' products, including those vendors' products which
directly compromise the security of any solution built using Blue World
products.

Additional Information

Additional information is not available from Blue World. FileMaker, Inc.
can be contacted via contacts listed on the FileMaker, Inc. Web site at
http://www.filemaker.com. Interested parties who wish to discover how the
FileMaker Pro community reacts to this issue are cordially invited to join
the Blue World FileMaker Pro Talk email discussion forum, details provided
at http://www.blueworld.com/blueworld/lists/filemaker.html. An archive
containing all posts to FileMaker Pro Talk may be found at
http://listsearch.blueworld.com/fmprotalksearch.lasso.

About Blue World

Blue World Communications, Inc. (http://www.blueworld.com) delivers
cross-platform software tools allowing Web developers and designers to
quickly build and deploy powerful data-driven Web applications. Blue World
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World
Store and Blue World ListSearch service in fulfillment of its mission to
bring business to the Internet.

 
AAPL
$567.77
Apple Inc.
+43.02
MSFT
$39.86
Microsoft Corpora
+0.17
GOOG
$525.16
Google Inc.
-1.78

MacTech Search:
Community Search:

Software Updates via MacUpdate

Ember 1.5.1 - Versatile digital scrapboo...
Ember (formerly LittleSnapper) is your digital scrapbook of things that inspire you: websites, photos, apps or other things. Just drag in images that you want to keep, organize them into relevant... Read more
Cyberduck 4.4.4 - FTP and SFTP browser....
Cyberduck is a robust FTP/FTP-TLS/SFTP browser for the Mac whose lack of visual clutter and cleverly intuitive features make it easy to use. Support for external editors and system technologies such... Read more
TechTool Pro 7.0.3 - Hard drive and syst...
TechTool Pro is now 7, and this is the most advanced version of the acclaimed Macintosh troubleshooting utility created in its 20-year history. Micromat has redeveloped TechTool Pro 7 to be fully 64... Read more
MacFamilyTree 7.1.6 - Create and explore...
MacFamilyTree gives genealogy a facelift: it's modern, interactive, incredibly fast, and easy to use. We're convinced that generations of chroniclers would have loved to trade in their genealogy... Read more
EtreCheck 1.9.9 - For troubleshooting yo...
EtreCheck is a simple little app to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support... Read more
TeamViewer 9.0.28116 - Establish remote...
TeamViewer gives you remote control of any computer or Mac over the Internet within seconds, or can be used for online meetings. Find out why more than 200 million users trust TeamViewer! Free for... Read more
DiskAid 6.6.3 - Use your iOS device as a...
DiskAid is the ultimate transfer tool for accessing the iPod, iPhone or iPad directly from the desktop. Access data such as: music, video, photos, contacts, notes, call history, text messages (SMS),... Read more
Viber 4.1.0 - Send messages and make cal...
Viber lets you send free messages and make free calls to other Viber users, on any device and network, in any country! Viber syncs your contacts, messages and call history with your mobile device,... Read more
Apple iOS 7.1.1 - The latest version of...
The latest version of iOS can be downloaded through iTunes. Apple iOS 7 brings an all-new design and all-new features. Simplicity Simplicity is often equated with minimalism. Yet true simplicity is... Read more
1Password 4.3 - Powerful password manage...
1Password is a password manager that uniquely brings you both security and convenience. It is the only program that provides anti-phishing protection and goes beyond password management by adding Web... Read more

Latest Forum Discussions

See All

Pen & Ink Review
Pen & Ink Review By Jennifer Allen on April 24th, 2014 Our Rating: :: CONVENIENT ARTISTRYiPad Only App - Designed for the iPad Pen & Ink is an ideal way to sketch down some visual ideas or simply spark your imagination.   | Read more »
Sonic & All-Stars Racing Transformed...
Sonic & All-Stars Racing Transformed Now Free, to Add New Iconic Characters and Elements Posted by Tre Lawrence on April 24th, 2014 [ | Read more »
Soccer Rally 2 Review
Soccer Rally 2 Review By Carter Dotson on April 24th, 2014 Our Rating: :: GOALKEEPINGUniversal App - Designed for iPhone and iPad Soccer Rally 2 is the most serious vehicular soccer game ever created.   | Read more »
Galaxy Conquerors Review
Galaxy Conquerors Review By Jennifer Allen on April 24th, 2014 Our Rating: :: RETRO SHOOTINGUniversal App - Designed for iPhone and iPad Old school shooting is fun but inaccurate in Galaxy Conquerors.   | Read more »
Yomi Review
Yomi Review By Rob Thomas on April 24th, 2014 Our Rating: :: C-C-C-COMBO BREAKERiPad Only App - Designed for the iPad Round One – Fight! No quarters required for this iOS adaptation of a tabletop adaptation of the arcade fighting... | Read more »
Injustice: Gods Among Us Updated with Ne...
Injustice: Gods Among Us Updated with New Characters, Leaderboards, Gear, and Online Multiplayer Posted by Rob Rich on April 24th, 2014 [ | Read more »
Spin It Review
Spin It Review By Jordan Minor on April 24th, 2014 Our Rating: :: SPIN ME RIGHT ROUNDUniversal App - Designed for iPhone and iPad Spin It has a fine puzzle game model, but its execution lacks energy.   | Read more »
Productivity App NoteSuite is Having its...
Productivity App NoteSuite is Having its Biggest Sale Ever, Just for One Week Posted by Rob Rich on April 24th, 2014 [ permalink ] | Read more »
Wayward Souls Review
Wayward Souls Review By Carter Dotson on April 24th, 2014 Our Rating: :: CARRY ON, WAYWARD SONUniversal App - Designed for iPhone and iPad Wayward Souls is a roguelike-inspired action-RPG that sets a high bar for other games to... | Read more »
The Sandbox Gets Update, Receives New Ca...
The Sandbox Gets Update, Receives New Campaign and New Elements Posted by Tre Lawrence on April 24th, 2014 [ permalink ] Universal App - Designed for iPhone and iPad | Read more »

Price Scanner via MacPrices.net

Strong iPhone Sales Drive Apple Record March...
Apple on Wednesday announced financial results for its fiscal 2014 second quarter ended March 29, 2014. The Company posted quarterly revenue of $45.6 billion and quarterly net profit of $10.2 billion... Read more
Award-Winning NoteSuite Productivity App is $...
Minneapolis based Theory.io has announced an 80-Percent Markdown NoteSuite for iPad. NoteSuite helps users stay organized by capturing their notes, to-dos and documents in one organized place.... Read more
16GB 1st generation iPad mini available for $...
Radio Shack has a select number of refurbished 1st generation 16GB WiFi iPad minis available for $199.99 on their online store. Choose free shipping or free ship-to-store. We expect these to sell out... Read more
13-inch 2.5GHz MacBook Pro on sale for $100 o...
B&H Photo has the 13″ 2.5GHz MacBook Pro on sale for $1099 including free shipping plus NY sales tax only. Their price is $100 off MSRP. Read more
iPad Sales “Lull” A Reality Correction Of Unm...
I have lots of time for Jean-Louis Gassée, the former Apple Computer executive (1981 to 1990) who succeeded Steve Jobs as head of Macintosh development when the latter was dismissed in 1985. Mr.... Read more
Apple Makes OS X Betas Available To All – Wit...
Apple’s OS X Beta Seed Program, which lets you install the latest pre-release builds, try it out, and submit your feedback, is now open to anyone who wants to sign on rather than to developers and... Read more
Apple Releases iOS 7.1.1 Update
The latest iOS 7.1.1 update contains improvements, bug fixes and security updates, including: • Further improvements to Touch ID fingerprint recognition • Fixes a bug that could impact keyboard... Read more
Logitech Announces Thinner, Lighter, More Fle...
Logitech has announced an update to its Ultrathin for iPad Air, iPad mini and iPad mini with Retina display, improving the flexibility and design of its award-winning predecessor with an even thinner... Read more
Logitech Introduces Hinge, Big Bang and Turna...
Logitech has announced expansion of its tablet product line with three new cases – the Logitech Hinge, the Logitech Big Bang and the Logitech Turnaround – each for the iPad Air, iPad mini and iPad... Read more
WaterField’s Rough Rider Leather Messenger Ba...
WaterField Designs have announced the new 15-inch size of their popular Rough Rider leather messenger bag, a vintage-looking bag that combines Old West charm and ruggedness with distinctly modern... Read more

Jobs Board

*Apple* Solutions Consultant (ASC) - Apple (...
**Job Summary** The ASC is an Apple employee who serves as an Apple brand ambassador and influencer in a Reseller's store. The ASC's role is to grow Apple Read more
*Apple* Solutions Consultant (ASC) - Apple (...
**Job Summary** The ASC is an Apple employee who serves as an Apple brand ambassador and influencer in a Reseller's store. The ASC's role is to grow Apple Read more
Position Opening at *Apple* - Apple (United...
…customers purchase our products, you're the one who helps them get more out of their new Apple technology. Your day in the Apple Store is filled with a range of Read more
*Apple* Solutions Consultant (ASC) - Apple (...
**Job Summary** The ASC is an Apple employee who serves as an Apple brand ambassador and influencer in a Reseller's store. The ASC's role is to grow Apple Read more
*Apple* Inc. Research Data Specialist - Appl...
…of Worldwide Market Research & Intelligence. The team is responsible for conducting Apple branded consumer market research. It is also responsible for analyzing data Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.