Support

Security article: Remotely exploitable vulnerability when using Web Publishing allows ability to view files on hosting system

FileMaker Knowledge Base answer

Problem summary: There is a remotely exploitable vulnerability for customers using web publishing that makes it possible for malicious users to view files on the hosting system.

Who should read this article: Customers who are using the web publishing feature in FileMaker to share hosted FileMaker databases.

Affected products:

• FileMaker Pro 6.0 or earlier
• FileMaker Developer 6 or earlier
• FileMaker Pro 6.0 Unlimited or earlier

Affected platforms:

• Windows
• Mac OS X

Impact: This impacts any system that has employed FileMaker's web publishing and permits a malicious user to form a request that allows them to view other files on the hosting system.

Update available: FileMaker Pro Web Companion 6.0v3 update addresses the above issue. Download update.

Read the complete answer

Security guide: Upgrading to FileMaker 7: How to employ the new, advanced Security system

Who should read this guide: Customers who share hosted databases

Affected products: FileMaker Pro 7, FileMaker Developer 7, FileMaker Server 7 ( scheduled to be available summer 2004)

Download the technical brief (PDF)

White paper: FileMaker 7 Security

Who should read this guide: Security experts, IT staff, and developers

Affected products: FileMaker Pro 7, FileMaker Developer 7, FileMaker Server 7, and FileMaker Server 7 Advanced ( FileMaker Server 7 and FileMaker Server 7 Advanced are scheduled to be available summer 2004)

Download the white paper (PDF)

Security article: Security considerations when sharing hosted databases

FileMaker Knowledge Base Answer

Problem summary:

FileMaker hosts will send database passwords in an obscured format to FileMaker Pro clients during password verification. The client software performs the validation that a user-entered password is valid before allowing access to the database. This could create an opportunity for an attacker to obtain and use passwords.

Who should read this article: Customers who are sharing hosted FileMaker databases.

Affected products: FileMaker Pro 6.0 or earlier, FileMaker Pro 6.0 Unlimited or earlier FileMaker Server 5.5 or earlier

Read the complete answer

Security article: Internet search engines and web publishing

FileMaker Knowledge Base Answer

Problem summary:

You may have read about Internet search engines' ability to identify computers publishing a FileMaker database over the web. This is not unique to FileMaker, and should not concern FileMaker customers if appropriate security guidelines are correctly followed.

Read the complete answer

Security article: Considerations for sensitive information when importing XML data

FileMaker Knowledge Base Answer

Problem summary:

1. An HTTP request to import XML data may expose sensitive information on the Internet. HTTP does not support encryption, and FileMaker Pro does not support HTTPS, which provides encryption for data exchange over HTTP. Sensitive information such as user name, password, and other parameters in the URL that allow access to a secured data source, as well as the data that is returned from the HTTP source, may be viewed by others.
   
2. FileMaker Pro saves the options specified for the Import Records command. The URL for an HTTP request will be saved after an HTTP XML import request, and may be visible to end users in the import progress dialog.

Who should read this article: FileMaker Pro users importing XML data or developing solutions to import XML data.

Affected products: FileMaker Pro 6 and FileMaker Pro 6 Unlimited (6.0v1, 6.0v2, 6.0v3)
FileMaker Developer 6 (6.0v1, 6.0v3)

Update available:

1. HTTPS and encryption are not supported for XML import - see the workaround for HTTP described below.
   
2. The FileMaker Pro 6.0v4 Updater addresses the exposure of sensitive information in the progress dialog. The progress dialog displayed during time consuming XML import no longer displays the HTTP request URL. Download update.
   An Updater to address this problem in FileMaker Developer 6 is not currently available.

Read the complete answer

Security article: Correction to FileMaker Pro 6 "Web Security.PDF" regarding creating secure passwords

FileMaker Knowledge Base Answer

Problem summary:

This document, which replaces previous versions of the "Web Publishing Security Guidelines," includes updates in Chapter 2 concerning tips for creating secure passwords. When FileMaker Pro databases are used individually, shared on a peer-to-peer basis, or shared using FileMaker Server, FileMaker Pro security consists of passwords and access privileges. Passwords protect access to your databases, and the access privileges associated with those passwords determine your guests' ability to create, edit, delete, or export records, design layouts, and so forth. This is a security model that is both simple and powerful.

Who should read this article: Customers publishing databases to the Web with FileMaker.

Affected products: FileMaker Pro 6 and FileMaker Pro 6 Unlimited.

Update available: Download the corrected FileMaker Pro 6 document "WebSecurity.PDF" from the FileMaker website.

A separate TechInfo article containing only the new password information which has been added to "Web Publishing Security Guidelines" is also available. Read " Tips for Creating Secure Passwords."

Read the complete answer

Security article: FileMaker Pro 5.5 database files should be removed from the Web Companion web folder

FileMaker Knowledge Base Answer

Problem summary:

FileMaker Pro database files stored in the "web" folder (or subfolders) can be downloaded by end user browsers using HTTP requests, regardless of the settings in the Remote Administration options of the Web Companion Configuration, including "Requires password".

Who should read this article: Customers publishing databases to the web with Web Companion in the FileMaker Pro 5.5 and FileMaker Pro 5.5 Unlimited products.

Affected products: Web Companion 5.5 v2 and v3, with FileMaker Pro 5.5 or FileMaker Pro 5.5 Unlimited.

Does not affect the Web Companion in FileMaker Pro 5.0, 4.1 or 4.0.

Update available: FileMaker Pro Web Companion 5.5 v4 update addresses the issue. All supported language versions are now available. Download update.

Read the complete answer