FileMaker Pro 5 Web Security Alert
TweetFollow Us on Twitter

FileMaker Pro 5 Web Security Alert

Blue World Announces FileMaker Pro 5 Web Security Alert

May 1, 2000

Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today
announced to customers, partners, vendors, Internet security regulators,
and the wider FileMaker Pro Web community that it has discovered at least
three serious security holes in the Web Companion provided in the FileMaker
Pro 5 product line. The security holes are a result of new XML and email
capabilities introduced in the FileMaker Pro 5 product line. The first
security hole permits anyone on the Internet to view all data contained in
any FileMaker Pro 5 Web Companion configured database made accessible on
the Internet, regardless of Web Database Security preferences set to deny
such access. The second security hole permits anyone on the Internet to use
the Web Companion's email capabilities to send email with data contained in
any FileMaker Pro 5 Web Companion enabled database, regardless of Web
Database Security preferences set to deny such access. The third security
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to
send anonymous or impersonated email.

The problems affect all organizations with Web sites that utilize FileMaker
Pro 5 Web Companion. The email problems can affect any organization that
hosts a mail server. FileMaker, Inc. has been notified.

Security Holes

The precise details of how to exploit these holes is minimized to prevent
compromising the integrity of all current Internet-accessible FileMaker Pro
5 databases and mail servers. However, details can be easily deduced by
referencing the FileMaker Pro 5 documentation and by consulting the
FileMaker XML Technology Overview white paper available via the FileMaker
XML Central Web site.

1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web
accessible database regardless of Web Database Security preferences set to
deny such access.

With FileMaker Pro 5 it is possible to return data in XML format based upon
a request submitted by anyone on the Internet. The XML publishing
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing capabilities bypass
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on
the Web to view any data within a FileMaker Pro 5 database.

The hole allows anyone to view sensitive data contained within FileMaker
Pro 5 databases such as credit card numbers, passwords, employee records,
and trade secrets that are not intended for public access.

2. Anyone on the Internet can use the Web Companion's email capabilities to
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set to deny such
access.

FileMaker Pro 5 Web Companion new email capabilities include the ability to
specify that any field in a database be used as the format for the body of
the email message. This new functionality can be accessed through a request
submitted by anyone on the Internet. The new email capabilities can be used
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing
anyone on the Web to send the contents of any database field via email to
themselves or a third party.

The hole makes it possible to access and rapidly distribute across the
Internet sensitive information stored in FileMaker Pro 5 databases not
intended for viewing by the general public.

3. Anyone on the Internet can use Web Companion's email capabilities to
send anonymous or impersonated email thereby compromising the integrity of
any targeted mail server.

The hole allows anyone to anonymously flood email accounts and mask or
impersonate the true identity and source of the originating message making
it virtually impossible to trace the origin of malicious activity.

For example, anyone on the Web could access any organization's FileMaker
Pro 5 powered Web site and submit a query that contains commands which
instruct the Web Companion to send an email from the president of the
organization instructing all employees not to show up to work. As the email
would originate from the organization's own servers, it would be virtually
impossible to trace the true location of the perpetrator.

Solutions

There are four potential solutions to close the security holes. The first
three require disabling portions of FileMaker Pro's built-in Web Companion
or downgrading to a previous and safer version of FileMaker Pro. The final
solution entails using a third party product, such as Lasso Web Data
Engine, to protect FileMaker Pro 5 databases on the Web.

A. Disable the FileMaker Pro Web Companion. This disables the automatic XML
Publishing and email capabilities of FileMaker Pro 5.

B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web
Companion do not contain these security flaws.

C. Use FileMaker Pro access privileges rather than the Web Security
Database. (Note: This only addresses the first two security issues reported
here.) While FileMaker Pro access privileges seemingly offer a solution to
this problem, they do not provide certain important additional features
otherwise provided in the Web Security Database. As such, it is not a
viable option for Web developers who require specific Web-related security
features.

D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web
Companion. Configure FileMaker Pro Web Companion to limit access to the IP
address of the machine on which Lasso is installed. You can then safely use
Lasso security to protect your FileMaker Pro 5 databases.

Blue World Policy on Security Alerts

Blue World notifies customers, partners, and vendors as quickly as possible
regarding any problems pertaining to the secure use of Blue World products
either as they exist unto themselves or when used in combination with other
products. Blue World strives to deliver appropriate information so the
seriousness of any security related problem is clearly understood and
widely known in an effort to best serve all those potentially affected by
security issues. As appropriate, Blue World will limit the amount of
detailed information revealed so as to not potentially compromise the
integrity of currently deployed and publicly accessible solutions based
upon any vendors' products, including those vendors' products which
directly compromise the security of any solution built using Blue World
products.

Additional Information

Additional information is not available from Blue World. FileMaker, Inc.
can be contacted via contacts listed on the FileMaker, Inc. Web site at
http://www.filemaker.com. Interested parties who wish to discover how the
FileMaker Pro community reacts to this issue are cordially invited to join
the Blue World FileMaker Pro Talk email discussion forum, details provided
at http://www.blueworld.com/blueworld/lists/filemaker.html. An archive
containing all posts to FileMaker Pro Talk may be found at
http://listsearch.blueworld.com/fmprotalksearch.lasso.

About Blue World

Blue World Communications, Inc. (http://www.blueworld.com) delivers
cross-platform software tools allowing Web developers and designers to
quickly build and deploy powerful data-driven Web applications. Blue World
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World
Store and Blue World ListSearch service in fulfillment of its mission to
bring business to the Internet.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Ableton Live 9.7.5 - Record music using...
Ableton Live lets you create and record music on your Mac. Use digital instruments, pre-recorded sounds, and sampled loops to arrange, produce, and perform your music like never before. Ableton Live... Read more
Maintenance 2.3.5 - System maintenance u...
Maintenance is a system maintenance and cleaning utility. It allows you to run miscellaneous tasks of system maintenance: Check the status of the hard disk Repair permissions Run periodic scripts... Read more
OnyX 3.3.8 - Maintenance and optimizatio...
OnyX is a multifunction utility that you can use to verify the startup disk and the structure of its system files, to run miscellaneous maintenance and cleaning tasks, to configure parameters in the... Read more
Merlin Project 4.3.1 - $289.00
Merlin Project is the leading professional project management software for OS X. If you plan complex projects on your Mac, you won’t get far with a simple list of tasks. Good planning raises... Read more
WhatsApp 0.2.6426 - Desktop client for W...
WhatsApp is the desktop client for WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS. WhatsApp Messenger is available for... Read more
DiskCatalogMaker 7.2.5 - Catalog your di...
DiskCatalogMaker is a simple disk management tool which catalogs disks. Simple, light-weight, and fast Finder-like intuitive look and feel Super-fast search algorithm Can compress catalog data for... Read more
BBEdit 12.0.1 - Powerful text and HTML e...
BBEdit is the leading professional HTML and text editor for the Mac. Specifically crafted in response to the needs of Web authors and software developers, this award-winning product provides a... Read more
Hazel 4.2.2 - Create rules for organizin...
Hazel is your personal housekeeper, organizing and cleaning folders based on rules you define. Hazel can also manage your trash and uninstall your applications. Organize your files using a familiar... Read more
Hopper Disassembler 4.3.3- - Binary disa...
Hopper Disassembler is a binary disassembler, decompiler, and debugger for 32- and 64-bit executables. It will let you disassemble any binary you want, and provide you all the information about its... Read more
Adobe InCopy CC 2018 13.0.0.123 - Create...
InCopy CC 2018 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous InCopy customer). Adobe InCopy CC 2018, ideal for large team projects... Read more

Guns Royale guide - beginner tips and tr...
If you've been itching to find a mobile battle royale game like Player Unknown's Battlegrounds, you're finally in luck. Guns Royale is a new survival shooter that takes all of the things you love about good ol' PUBG and puts it in a tidy mobile... | Read more »
What we know about Animal Crossing on mo...
At last, we'll be receiving some news about the mobile version of Animal Crossing in a special Nintendo Director at11 PM on October 24. There's been little word on the game since it was first announced, having been met with a series of delays.... | Read more »
Darts of Fury guide - how to rise in the...
Darts of Fury is a new, immensely absorbing darts game from indie studio Yakuto. It's darts in its purest form, but collectible darts and other upgrades give this game an addictive edge that's hard to shake. As your progress out of the beginner... | Read more »
ICEY (Games)
ICEY 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: ICEY is a 2D side-scrolling action game. As you follow the narrator's omnipresent voice, you will see through ICEY's eyes and learn the... | Read more »
The best new games we played this week -...
We've made it, folks. Another weekend is upon us. It's time to sit back and relax with the best new releases of the week. Puzzles, strategy RPGs, and arcade games abound this week. There's a lot of quality stuff to unpack this week, so let's hop... | Read more »
Wheels of Aurelia (Games)
Wheels of Aurelia 1.0.1 Device: iOS Universal Category: Games Price: $3.99, Version: 1.0.1 (iTunes) Description: | Read more »
Halcyon 6: Starbase Commander guide - ti...
Halcyon 6 is a well-loved indie RPG with stellar tactical combat and some pretty good writing, too. It's now landed on the App Store, so mobile fans, if you're itching for a good intergalactic adventure, here's your game. Being a strategy RPG, the... | Read more »
Game of Thrones: Conquest guide - how to...
Fans of base building games might be excited to know that yet another entry in the genre has materialized - Game of Thrones: Conquest. Yes, you can now join the many kingdoms of the famed book series, or create your own, as you try to conquer... | Read more »
Halcyon 6: Starbase Commander (Games)
Halcyon 6: Starbase Commander 1.4.2.0 Device: iOS Universal Category: Games Price: $6.99, Version: 1.4.2.0 (iTunes) Description: An epic space strategy RPG with base building, deep tactical combat, crew management, alien diplomacy,... | Read more »
Legacy of Discord celebrates its 1 year...
It’s been a thrilling first year for fans of Legacy of Discord, the stunning PvP dungeon-crawling ARPG from YOOZOO Games, and now it’s time to celebrate the game’s first anniversary. The developers are amping up the festivities with some exciting... | Read more »

Price Scanner via MacPrices.net

27″ 3.4GHz iMac on sale for $1699, save $100
Amazon has the 27″ 3.4GHz iMac (MNE92LL/A) on sale today for $1699 including free shipping. Their price is $100 off MSRP, and it’s the lowest price available for this model (except for Apple’s $1529... Read more
Clearance 2016 15″ MacBook Pros available for...
B&H Photo has leftover 2016 15″ MacBook Pros available for up to $700 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 15″ 2.7GHz Touch Bar MacBook Pro Space... Read more
Save $100 on 13″ MacBook Airs, prices start a...
Adorama has 2017 13″ MacBook Airs on sale today for $100 off MSRP including free shipping. Adorama charges NY & NJ sales tax only: – 13″ 1.8GHz/128GB MacBook Air (MQD32LL/A): $899, $100 off MSRP... Read more
1.4GHz Mac mini available for $399, $100 off...
TigerDirect has the 1.4GHz Mac mini on sale today for $399 including free shipping. Their price is $100 off MSRP, and it’s the lowest price available for this model. Although currently out of stock,... Read more
21″ 2.3GHz iMac on sale for $999, save $100
MacMall has the 21″ 2.3GHz iMac (MMQA2LL/A) on sale today for $999 including free shipping. Their price is $100 off MSRP, and it’s the lowest price available for this model. Read more
12″ iPad Pros on sale for $50 off MSRP, no ta...
Adorama has 12″ iPad Pros on sale today for $50 off MSRP. Shipping is free, and Adorama charges sales tax in NY & NJ only: – 12″ 64GB iPad Pro: $749, save $50 – 12″ 256GB iPad Pro: $899, save $50... Read more
9″ iPads on sale for $30 off, starting at $29...
MacMall has 9″ iPads on sale for $30 off including free shipping: – 9″ 32GB iPad: $299 – 9″ 128GB iPad: $399 Read more
Apple restocks full line of refurbished 13″ M...
Apple has restocked a full line of Apple Certified Refurbished 2017 13″ MacBook Pros for $200-$300 off MSRP. A standard Apple one-year warranty is included with each MacBook, and shipping is free.... Read more
13″ 3.1GHz/256GB MacBook Pro on sale for $167...
Amazon has the 2017 13″ 3.1GHz/256GB Space Gray MacBook Pro on sale today for $121 off MSRP including free shipping: – 13″ 3.1GHz/256GB Space Gray MacBook Pro (MPXV2LL/A): $1678 $121 off MSRP Keep an... Read more
13″ MacBook Pros on sale for up to $120 off M...
B&H Photo has 2017 13″ MacBook Pros in stock today and on sale for up to $120 off MSRP, each including free shipping plus NY & NJ sales tax only: – 13-inch 2.3GHz/128GB Space Gray MacBook... Read more

Jobs Board

*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
Project Engineer, *Apple* Education Profess...
Project Engineer, Apple Education Professional Services Job Number: 113143353New York City, New York, United StatesPosted: Oct. 17, 2017Weekly Hours: 40.00 Job Read more
Commerce Software Engineer, *Apple* Media P...
Commerce Software Engineer, Apple Media Products Job Number: 113092072New York City, New York, United StatesPosted: Oct. 19, 2017Weekly Hours: 40.00 Job Summary With Read more
Engineering Manager, *Apple* Retail Enginee...
# Engineering Manager, Apple Retail Engineering Job Number: 58139948 Santa Clara Valley, California, United States Posted: 20-Oct-2017 Weekly Hours: 40.00 **Job Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.