FileMaker Pro 5 Web Security Alert
TweetFollow Us on Twitter

FileMaker Pro 5 Web Security Alert

Blue World Announces FileMaker Pro 5 Web Security Alert

May 1, 2000

Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today
announced to customers, partners, vendors, Internet security regulators,
and the wider FileMaker Pro Web community that it has discovered at least
three serious security holes in the Web Companion provided in the FileMaker
Pro 5 product line. The security holes are a result of new XML and email
capabilities introduced in the FileMaker Pro 5 product line. The first
security hole permits anyone on the Internet to view all data contained in
any FileMaker Pro 5 Web Companion configured database made accessible on
the Internet, regardless of Web Database Security preferences set to deny
such access. The second security hole permits anyone on the Internet to use
the Web Companion's email capabilities to send email with data contained in
any FileMaker Pro 5 Web Companion enabled database, regardless of Web
Database Security preferences set to deny such access. The third security
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to
send anonymous or impersonated email.

The problems affect all organizations with Web sites that utilize FileMaker
Pro 5 Web Companion. The email problems can affect any organization that
hosts a mail server. FileMaker, Inc. has been notified.

Security Holes

The precise details of how to exploit these holes is minimized to prevent
compromising the integrity of all current Internet-accessible FileMaker Pro
5 databases and mail servers. However, details can be easily deduced by
referencing the FileMaker Pro 5 documentation and by consulting the
FileMaker XML Technology Overview white paper available via the FileMaker
XML Central Web site.

1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web
accessible database regardless of Web Database Security preferences set to
deny such access.

With FileMaker Pro 5 it is possible to return data in XML format based upon
a request submitted by anyone on the Internet. The XML publishing
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing capabilities bypass
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on
the Web to view any data within a FileMaker Pro 5 database.

The hole allows anyone to view sensitive data contained within FileMaker
Pro 5 databases such as credit card numbers, passwords, employee records,
and trade secrets that are not intended for public access.

2. Anyone on the Internet can use the Web Companion's email capabilities to
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set to deny such
access.

FileMaker Pro 5 Web Companion new email capabilities include the ability to
specify that any field in a database be used as the format for the body of
the email message. This new functionality can be accessed through a request
submitted by anyone on the Internet. The new email capabilities can be used
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing
anyone on the Web to send the contents of any database field via email to
themselves or a third party.

The hole makes it possible to access and rapidly distribute across the
Internet sensitive information stored in FileMaker Pro 5 databases not
intended for viewing by the general public.

3. Anyone on the Internet can use Web Companion's email capabilities to
send anonymous or impersonated email thereby compromising the integrity of
any targeted mail server.

The hole allows anyone to anonymously flood email accounts and mask or
impersonate the true identity and source of the originating message making
it virtually impossible to trace the origin of malicious activity.

For example, anyone on the Web could access any organization's FileMaker
Pro 5 powered Web site and submit a query that contains commands which
instruct the Web Companion to send an email from the president of the
organization instructing all employees not to show up to work. As the email
would originate from the organization's own servers, it would be virtually
impossible to trace the true location of the perpetrator.

Solutions

There are four potential solutions to close the security holes. The first
three require disabling portions of FileMaker Pro's built-in Web Companion
or downgrading to a previous and safer version of FileMaker Pro. The final
solution entails using a third party product, such as Lasso Web Data
Engine, to protect FileMaker Pro 5 databases on the Web.

A. Disable the FileMaker Pro Web Companion. This disables the automatic XML
Publishing and email capabilities of FileMaker Pro 5.

B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web
Companion do not contain these security flaws.

C. Use FileMaker Pro access privileges rather than the Web Security
Database. (Note: This only addresses the first two security issues reported
here.) While FileMaker Pro access privileges seemingly offer a solution to
this problem, they do not provide certain important additional features
otherwise provided in the Web Security Database. As such, it is not a
viable option for Web developers who require specific Web-related security
features.

D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web
Companion. Configure FileMaker Pro Web Companion to limit access to the IP
address of the machine on which Lasso is installed. You can then safely use
Lasso security to protect your FileMaker Pro 5 databases.

Blue World Policy on Security Alerts

Blue World notifies customers, partners, and vendors as quickly as possible
regarding any problems pertaining to the secure use of Blue World products
either as they exist unto themselves or when used in combination with other
products. Blue World strives to deliver appropriate information so the
seriousness of any security related problem is clearly understood and
widely known in an effort to best serve all those potentially affected by
security issues. As appropriate, Blue World will limit the amount of
detailed information revealed so as to not potentially compromise the
integrity of currently deployed and publicly accessible solutions based
upon any vendors' products, including those vendors' products which
directly compromise the security of any solution built using Blue World
products.

Additional Information

Additional information is not available from Blue World. FileMaker, Inc.
can be contacted via contacts listed on the FileMaker, Inc. Web site at
http://www.filemaker.com. Interested parties who wish to discover how the
FileMaker Pro community reacts to this issue are cordially invited to join
the Blue World FileMaker Pro Talk email discussion forum, details provided
at http://www.blueworld.com/blueworld/lists/filemaker.html. An archive
containing all posts to FileMaker Pro Talk may be found at
http://listsearch.blueworld.com/fmprotalksearch.lasso.

About Blue World

Blue World Communications, Inc. (http://www.blueworld.com) delivers
cross-platform software tools allowing Web developers and designers to
quickly build and deploy powerful data-driven Web applications. Blue World
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World
Store and Blue World ListSearch service in fulfillment of its mission to
bring business to the Internet.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Ableton Live 9.7.1 - Record music using...
Ableton Live lets you create and record music on your Mac. Use digital instruments, pre-recorded sounds, and sampled loops to arrange, produce, and perform your music like never before. Ableton Live... Read more
FileZilla 3.23.0.2 - Fast and reliable F...
FileZilla (ported from Windows) is a fast and reliable FTP client and server with lots of useful features and an intuitive interface. Version 3.23.0.2: Bug Fixes and Minor Changes Speed up icon... Read more
Vivaldi 1.5.658.56 - An advanced browser...
Vivaldi is a browser for our friends. In 1994, two programmers started working on a web browser. Our idea was to make a really fast browser, capable of running on limited hardware, keeping in mind... Read more
Safari Technology Preview 10.1 - The new...
Safari Technology Preview contains the most recent additions and improvements to WebKit and the latest advances in Safari web technologies. And once installed, you will receive notifications of... Read more
TunnelBear 3.0.8 - Subscription-based pr...
TunnelBear is a subscription-based virtual private network (VPN) service and companion app, enabling you to browse the internet privately and securely. Features Browse privately - Secure your data... Read more
NeoFinder 7.0 - Catalog your external me...
NeoFinder (formerly CDFinder) rapidly organizes your data, either on external or internal disks, or any other volumes. It catalogs all your data, so you stay in control of your data archive or disk... Read more
Coda 2.6 - One-window Web development su...
Coda is a powerful Web editor that puts everything in one place. An editor. Terminal. CSS. Files. With Coda 2, we went beyond expectations. With loads of new, much-requested features, a few surprises... Read more
File Juicer 4.51 - Extract images, video...
File Juicer is a drag-and-drop can opener and data archaeologist. Its specialty is to find and extract images, video, audio, or text from files which are hard to open in other ways. In computer... Read more
PDFpenPro 8.3 - $124.95
PDFpenPro allows users to edit PDF's easily. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Create fillable forms and tables of content... Read more
PDFpen 8.3 - $74.95
PDFpen allows users to easily edit PDF's. Add text, images and signatures. Fill out PDF forms. Merge or split PDF documents. Reorder and delete pages. Even correct text and edit graphics! Features... Read more

Latest Forum Discussions

See All

Clash of Clans is getting its own animat...
Riding on its unending wave of fame and success, Clash of Clans is getting an animated web series based on its Clash-A-Rama animated shorts.As opposed to the current shorts' 60 second run time, the new and improved Clash-A-Rama will be comprised of... | Read more »
Leaks hint at Pokémon GO and Starbucks C...
Leaked images from a hub for Starbucks employees suggests that a big Pokémon GO event with the coffee giant could begin this very week. The images appeared on Reddit and hint at some exciting new things to come for Niantic's smash hit game. | Read more »
Silent Depth Submarine Simulation (Game...
Silent Depth Submarine Simulation 1.0 Device: iOS Universal Category: Games Price: $7.99, Version: 1.0 (iTunes) Description: | Read more »
Enneas Saga lets you lead your own demon...
Defend the land of Enneas Continent from the forces of evil in the new fantasy MMORPG from Lyto Mobi: Enneas Saga. Can’t wait? No problem. It’s available to download now on Android devices. | Read more »
Great zombie games in the spirit of Dead...
Dead Rising 4 arrives tomorrow, giving enthusiasts a fresh chance to take selfies with zombies and get up to other ridiculous end-of-the-world shenanigans. To really get into the spirit of things, we've gone and gathered the best zombie games that... | Read more »
Amateur Surgeon 4 Guide: Advanced tips a...
Amateur Surgeon 4 is still tackling the competition at the top of the App Store charts, so if you haven't tried it out yet, you should probably do that right away. If you've been at it for a while, though, perhaps you're ready to start expanding... | Read more »
Amateur Surgeon 4 Guide: Become the worl...
It's time to wield your trusty pizza cutter again, as Amateur Surgeon has returned with a whole fresh set of challenges (and some old, familiar ones, too). Starting anew isn't easy, especially when all you have at your disposal is a lighter, the... | Read more »
Le Parker: Sous Chef Extraordinaire (Ga...
Le Parker: Sous Chef Extraordinaire 1.0 Device: iOS Universal Category: Games Price: $2.99, Version: 1.0 (iTunes) Description: | Read more »
Telltale Games really is working on a Gu...
Telltale Games' next episodic adventure is indeed Guardians of the Galaxy. A document tied to the voice actors strike suggested that the project was in the work, but now we have direct confirmation following an announcement at the Game Awards that... | Read more »
Amateur Surgeon returns to iOS and Andro...
Amateur Surgeon and its two sequels disappeared from the App Store some time and it was sad days for all. But now, just in time for the holidays, the Adult Swim favorite makes its joyous return in the shape of Amateur Surgeon 4, a remake with... | Read more »

Price Scanner via MacPrices.net

Twenty-Five Years Of Apple Laptops – A person...
Among many other things, the often tumultuous 16th year of the new century marked the 25th anniversary of Apple laptop computers, not counting the optimistically named 16-pound Mac Portable of 1989.... Read more
Landlordy iOS App Adds Support For Appliances...
Riga, Latvia based E-protect SIA is releasing major update (version 1.8) to its Landlordy app for managing rental business financials on the go. Landlordy is iPhone and iPad app designed for self-... Read more
Holiday sale, Apple iMacs for up to $200 off...
B&H Photo has 21″ and 27″ Apple iMacs on sale for up to $200 off MSRP including free shipping plus NY sales tax only: - 27″ 3.3GHz iMac 5K: $2099 $200 off MSRP - 27″ 3.2GHz/1TB Fusion iMac 5K: $... Read more
Holiday sale: Mac minis for $50 to $100 off M...
B&H Photo has Mac minis on sale for up to $100 off MSRP free shipping plus NY sales tax only: - 1.4GHz Mac mini: $449 $50 off MSRP - 2.6GHz Mac mini: $629 $70 off MSRP - 2.8GHz Mac mini: $899 $... Read more
Mac Pros on sale for up to $300 off MSRP, ref...
B&H Photo has Mac Pros on sale for up to $300 off MSRP. Shipping is free, and B&H charges sales tax in NY only: - 3.7GHz 4-core Mac Pro: $2799, $200 off MSRP - 3.5GHz 6-core Mac Pro: $3699, $... Read more
12-inch WiFi Apple iPad Pros on sale for up t...
B&H Photo has 12″ WiFi Apple iPad Pros on sale for up to $50 off MSRP, each including free shipping. B&H charges sales tax in NY only: - 12″ Space Gray 32GB WiFi iPad Pro: $749 $50 off MSRP... Read more
9-inch Apple WiFi iPad Pros on sale for $20-$...
B&H Photo has 9.7″ Apple WiFi iPad Pros on sale for $20-$50 off MSRP, each including free shipping. B&H charges sales tax in NY only: - 9″ Space Gray 256GB WiFi iPad Pro: $779.95 $20 off MSRP... Read more
Apple refurbished 2015 15-inch MacBook Pros a...
Apple has Certified Refurbished 2015 15″ Retina MacBook Pros available starting at $1699. An Apple one-year warranty is included with each model, and shipping is free: - 15″ 2.2GHz Retina MacBook Pro... Read more
Back in stock! 13-inch 2.7GHz Retina MacBook...
Apple has Apple Certified Refurbished 2015 13″ 2.7GHz/128GB Retina MacBook Pros (MF839LL/A) available again for $1099 including free shipping. That’s $200 off MSRP, and it’s the lowest price... Read more
Slate Tablet Market Share to Fall Below 75% i...
After two years of decline, the tablet market is showing signs of new life as productivity trumps entertainment, and tablets become cost-effective computing devices for both entertainment and... Read more

Jobs Board

*Apple* Retail - Multiple Positions- Philade...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Retail - Multiple Positions- San Ant...
Job Description:SalesSpecialist - Retail Customer Service and SalesTransform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Products Tester Needed - Apple (Unit...
…we therefore look forward to put out products to quality test for durability. Apple leads the digital music revolution with its iPods and iTunes online store, Read more
SW Engineer *Apple* TV Frameworks - Apple I...
The Apple TV team is looking for a software...create features that reflect the look and feel of Apple TV. Description: Were looking for someone who is Read more
Hardware Design Validation Engineer - *Apple...
The Apple Watch team is looking for a Hardware Design Validation Engineer. This person will be part of the Apple Watch hardware team with responsibilities for Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.