FileMaker Pro 5 Web Security Alert
TweetFollow Us on Twitter

FileMaker Pro 5 Web Security Alert

Blue World Announces FileMaker Pro 5 Web Security Alert

May 1, 2000

Blue World Communications, Inc.--pioneers of the Web Data Engine(tm)--today
announced to customers, partners, vendors, Internet security regulators,
and the wider FileMaker Pro Web community that it has discovered at least
three serious security holes in the Web Companion provided in the FileMaker
Pro 5 product line. The security holes are a result of new XML and email
capabilities introduced in the FileMaker Pro 5 product line. The first
security hole permits anyone on the Internet to view all data contained in
any FileMaker Pro 5 Web Companion configured database made accessible on
the Internet, regardless of Web Database Security preferences set to deny
such access. The second security hole permits anyone on the Internet to use
the Web Companion's email capabilities to send email with data contained in
any FileMaker Pro 5 Web Companion enabled database, regardless of Web
Database Security preferences set to deny such access. The third security
hole permits anyone on the Internet to use FileMaker Pro 5 Web Companion to
send anonymous or impersonated email.

The problems affect all organizations with Web sites that utilize FileMaker
Pro 5 Web Companion. The email problems can affect any organization that
hosts a mail server. FileMaker, Inc. has been notified.

Security Holes

The precise details of how to exploit these holes is minimized to prevent
compromising the integrity of all current Internet-accessible FileMaker Pro
5 databases and mail servers. However, details can be easily deduced by
referencing the FileMaker Pro 5 documentation and by consulting the
FileMaker XML Technology Overview white paper available via the FileMaker
XML Central Web site.

1. Anyone on the Internet can view all data in a FileMaker Pro 5 Web
accessible database regardless of Web Database Security preferences set to
deny such access.

With FileMaker Pro 5 it is possible to return data in XML format based upon
a request submitted by anyone on the Internet. The XML publishing
capabilities of the FileMaker Pro 5 Web Companion cannot be disabled
separately from the Web Companion. The XML publishing capabilities bypass
certain crucial aspects of FileMaker Pro 5 Web security allowing anyone on
the Web to view any data within a FileMaker Pro 5 database.

The hole allows anyone to view sensitive data contained within FileMaker
Pro 5 databases such as credit card numbers, passwords, employee records,
and trade secrets that are not intended for public access.

2. Anyone on the Internet can use the Web Companion's email capabilities to
retrieve all data contained in any FileMaker Pro 5 Web Companion enabled
database regardless of Web Database Security preferences set to deny such
access.

FileMaker Pro 5 Web Companion new email capabilities include the ability to
specify that any field in a database be used as the format for the body of
the email message. This new functionality can be accessed through a request
submitted by anyone on the Internet. The new email capabilities can be used
to bypass certain crucial aspects of FileMaker Pro 5 Web security allowing
anyone on the Web to send the contents of any database field via email to
themselves or a third party.

The hole makes it possible to access and rapidly distribute across the
Internet sensitive information stored in FileMaker Pro 5 databases not
intended for viewing by the general public.

3. Anyone on the Internet can use Web Companion's email capabilities to
send anonymous or impersonated email thereby compromising the integrity of
any targeted mail server.

The hole allows anyone to anonymously flood email accounts and mask or
impersonate the true identity and source of the originating message making
it virtually impossible to trace the origin of malicious activity.

For example, anyone on the Web could access any organization's FileMaker
Pro 5 powered Web site and submit a query that contains commands which
instruct the Web Companion to send an email from the president of the
organization instructing all employees not to show up to work. As the email
would originate from the organization's own servers, it would be virtually
impossible to trace the true location of the perpetrator.

Solutions

There are four potential solutions to close the security holes. The first
three require disabling portions of FileMaker Pro's built-in Web Companion
or downgrading to a previous and safer version of FileMaker Pro. The final
solution entails using a third party product, such as Lasso Web Data
Engine, to protect FileMaker Pro 5 databases on the Web.

A. Disable the FileMaker Pro Web Companion. This disables the automatic XML
Publishing and email capabilities of FileMaker Pro 5.

B. Don't use FileMaker Pro 5. Earlier versions of FileMaker Pro Web
Companion do not contain these security flaws.

C. Use FileMaker Pro access privileges rather than the Web Security
Database. (Note: This only addresses the first two security issues reported
here.) While FileMaker Pro access privileges seemingly offer a solution to
this problem, they do not provide certain important additional features
otherwise provided in the Web Security Database. As such, it is not a
viable option for Web developers who require specific Web-related security
features.

D. Use Lasso Web Data Engine as a secure proxy to FileMaker Pro 5 Web
Companion. Configure FileMaker Pro Web Companion to limit access to the IP
address of the machine on which Lasso is installed. You can then safely use
Lasso security to protect your FileMaker Pro 5 databases.

Blue World Policy on Security Alerts

Blue World notifies customers, partners, and vendors as quickly as possible
regarding any problems pertaining to the secure use of Blue World products
either as they exist unto themselves or when used in combination with other
products. Blue World strives to deliver appropriate information so the
seriousness of any security related problem is clearly understood and
widely known in an effort to best serve all those potentially affected by
security issues. As appropriate, Blue World will limit the amount of
detailed information revealed so as to not potentially compromise the
integrity of currently deployed and publicly accessible solutions based
upon any vendors' products, including those vendors' products which
directly compromise the security of any solution built using Blue World
products.

Additional Information

Additional information is not available from Blue World. FileMaker, Inc.
can be contacted via contacts listed on the FileMaker, Inc. Web site at
http://www.filemaker.com. Interested parties who wish to discover how the
FileMaker Pro community reacts to this issue are cordially invited to join
the Blue World FileMaker Pro Talk email discussion forum, details provided
at http://www.blueworld.com/blueworld/lists/filemaker.html. An archive
containing all posts to FileMaker Pro Talk may be found at
http://listsearch.blueworld.com/fmprotalksearch.lasso.

About Blue World

Blue World Communications, Inc. (http://www.blueworld.com) delivers
cross-platform software tools allowing Web developers and designers to
quickly build and deploy powerful data-driven Web applications. Blue World
provides Lasso Web Data Engine, Lasso Studio for Dreamweaver, Blue World
Store and Blue World ListSearch service in fulfillment of its mission to
bring business to the Internet.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Capture One 11.0.1.40 - RAW workflow sof...
Capture One is a professional RAW converter offering you ultimate image quality with accurate colors and incredible detail from more than 400 high-end cameras -- straight out of the box. It offers... Read more
Capture One 11.0.1.40 - RAW workflow sof...
Capture One is a professional RAW converter offering you ultimate image quality with accurate colors and incredible detail from more than 400 high-end cameras -- straight out of the box. It offers... Read more
GraphicConverter 10.5.4 - $39.95
GraphicConverter is an all-purpose image-editing program that can import 200 different graphic-based formats, edit the image, and export it to any of 80 available file formats. The high-end editing... Read more
Dash 4.1.3 - Instant search and offline...
Dash is an API documentation browser and code snippet manager. Dash helps you store snippets of code, as well as instantly search and browse documentation for almost any API you might use (for a full... Read more
Microsoft OneNote 16.9 - Free digital no...
OneNote is your very own digital notebook. With OneNote, you can capture that flash of genius, that moment of inspiration, or that list of errands that's too important to forget. Whether you're at... Read more
DEVONthink Pro 2.9.17 - Knowledge base,...
Save 10% with our exclusive coupon code: MACUPDATE10 DEVONthink Pro is your essential assistant for today's world, where almost everything is digital. From shopping receipts to important research... Read more
OmniGraffle 7.6 - Create diagrams, flow...
OmniGraffle helps you draw beautiful diagrams, family trees, flow charts, org charts, layouts, and (mathematically speaking) any other directed or non-directed graphs. We've had people use Graffle to... Read more
iFinance 4.3.7 - Comprehensively manage...
iFinance allows you to keep track of your income and spending -- from your lunchbreak coffee to your new car -- in the most convenient and fastest way. Clearly arranged transaction lists of all your... Read more
Opera 50.0.2762.58 - High-performance We...
Opera is a fast and secure browser trusted by millions of users. With the intuitive interface, Speed Dial and visual bookmarks for organizing favorite sites, news feature with fresh, relevant content... Read more
Microsoft Office 2016 16.9 - Popular pro...
Microsoft Office 2016 - Unmistakably Office, designed for Mac. The new versions of Word, Excel, PowerPoint, Outlook and OneNote provide the best of both worlds for Mac users - the familiar Office... Read more

Latest Forum Discussions

See All

Around the Empire: What have you missed...
Around this time every week we're going to have a look at the comings and goings on the other sites in Steel Media's pocket-gaming empire. We'll round up the very best content you might have missed, so you're always going to be up to date with the... | Read more »
Everything about Hero Academy 2: Part 4...
In this part of our Hero Academy 2 guide, we're going to have a look at some of the tactics you're going to need to learn if you want to rise up the ranks. We're going to start off slow, then get more advanced in the next section. [Read more] | Read more »
All the best games on sale for iPhone an...
Another week has flown by. Sometimes it feels like the only truly unstoppable thing is time. Time will make dust of us all. But before it does, we should probably play as many awesome mobile videogames as we can. Am I right, or am I right? [Read... | Read more »
The 7 best games that came out for iPhon...
Well, it's that time of the week. You know what I mean. You know exactly what I mean. It's the time of the week when we take a look at the best games that have landed on the App Store over the past seven days. And there are some real doozies here... | Read more »
Popular MMO Strategy game Lords Mobile i...
Delve into the crowded halls of the Play Store and you’ll find mobile fantasy strategy MMOs-a-plenty. One that’s kicking off the new year in style however is IGG’s Lords Mobile, which has beaten out the fierce competition to receive Google Play’s... | Read more »
Blocky Racing is a funky and fresh new k...
Blocky Racing has zoomed onto the App Store and Google Play this week, bringing with it plenty of classic kart racing shenanigans that will take you straight back to your childhood. If you’ve found yourself hooked on games like Mario Kart or Crash... | Read more »
Cytus II (Games)
Cytus II 1.0.1 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0.1 (iTunes) Description: "Cytus II" is a music rhythm game created by Rayark Games. It's our fourth rhythm game title, following the footsteps of three... | Read more »
JYDGE (Games)
JYDGE 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Build your JYDGE. Enter Edenbyrg. Get out alive. JYDGE is a lawful but awful roguehate top-down shooter where you get to build your... | Read more »
Tako Bubble guide - Tips and Tricks to S...
Tako Bubble is a pretty simple and fun puzzler, but the game can get downright devious with its puzzle design. If you insist on not paying for the game and want to manage your lives appropriately, check out these tips so you can avoid getting... | Read more »
Everything about Hero Academy 2 - The co...
It's fair to say we've spent a good deal of time on Hero Academy 2. So much so, that we think we're probably in a really good place to give you some advice about how to get the most out of the game. And in this guide, that's exactly what you're... | Read more »

Price Scanner via MacPrices.net

Deals on clearance 15″ Apple MacBook Pros wit...
B&H Photo has clearance 2016 15″ MacBook Pros available for up to $800 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 15″ 2.7GHz Touch Bar MacBook Pro... Read more
Apple restocked Certified Refurbished 13″ Mac...
Apple has restocked a full line of Certified Refurbished 2017 13″ MacBook Airs starting at $849. An Apple one-year warranty is included with each MacBook, and shipping is free: – 13″ 1.8GHz/8GB/128GB... Read more
How to find the lowest prices on 2017 Apple M...
Apple has Certified Refurbished 13″ and 15″ 2017 MacBook Pros available for $200 to $420 off the cost of new models. Apple’s refurbished prices are the lowest available for each model from any... Read more
The lowest prices anywhere on Apple 12″ MacBo...
Apple has Certified Refurbished 2017 12″ Retina MacBooks available for $200-$240 off the cost of new models. Apple will include a standard one-year warranty with each MacBook, and shipping is free.... Read more
Apple now offering a full line of Certified R...
Apple is now offering Certified Refurbished 2017 10″ and 12″ iPad Pros for $100-$190 off MSRP, depending on the model. An Apple one-year warranty is included with each model, and shipping is free: –... Read more
27″ iMacs on sale for $100-$130 off MSRP, pay...
B&H Photo has 27″ iMacs on sale for $100-$130 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 27″ 3.8GHz iMac (MNED2LL/A): $2199 $100 off MSRP – 27″ 3.... Read more
2.8GHz Mac mini on sale for $899, $100 off MS...
B&H Photo has the 2.8GHz Mac mini (model number MGEQ2LL/A) on sale for $899 including free shipping plus NY & NJ sales tax only. Their price is $100 off MSRP. Read more
Apple offers Certified Refurbished iPad minis...
Apple has Certified Refurbished 128GB iPad minis available today for $339 including free shipping. Apple’s standard one-year warranty is included. Their price is $60 off MSRP. Read more
Amazon offers 13″ 256GB MacBook Air for $1049...
Amazon has the 13″ 1.8GHz/256B #Apple #MacBook Air on sale today for $150 off MSRP including free shipping: – 13″ 1.8GHz/256GB MacBook Air (MQD42LL/A): $1049.99, $150 off MSRP Read more
9.7-inch 2017 WiFi iPads on sale starting at...
B&H Photo has 9.7″ 2017 WiFi #Apple #iPads on sale for $30 off MSRP for a limited time. Shipping is free, and pay sales tax in NY & NJ only: – 32GB iPad WiFi: $299, $30 off – 128GB iPad WiFi... Read more

Jobs Board

*Apple* Retail - Multiple Positions - Apple,...
Job Description:SalesSpecialist - Retail Customer Service and SalesTransform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Data Center Site Selection and Strat...
# Apple Data Center Site Selection and Strategy Research Analyst Job Number: 83708609 Santa Clara Valley, California, United States Posted: 18-Jan-2018 Weekly Hours: Read more
Security Engineering Coordinator, *Apple* R...
# Security Engineering Coordinator, Apple Retail Job Number: 113237456 Santa Clara Valley, California, United States Posted: 18-Jan-2018 Weekly Hours: 40.00 **Job Read more
Firmware Engineer - *Apple* Accessories - A...
# Firmware Engineer - Apple Accessories Job Number: 113422485 Santa Clara Valley, California, United States Posted: 18-Jan-2018 Weekly Hours: 40.00 **Job Summary** Read more
*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.