Also, with Filemaker 4.0, databases can be read/written to via http on port 80 if you enable this feature. The problem is, that any user can add this "feature" to a particular database, thus creating a mini-web server on whatever machine happens to have the database open. We have not tested the vulnerabilities with this configuration, nor do we care to. As previously stated, none of these are bugs, just poor software security design. Maybe some motivated individual wants to test it. We use Filemaker in a limited fashion here. We are trying our best to move away from it entirely, as we feel that its structure and "features" put the PC using the database at risk. Frank At 10:42 AM 5/29/98 +1000, Robert Moss wrote: >>> While doing some work from home I decided to see if I could open >>> the database in my office without pc-anywhere using Filemaker Pro...I >>> knew it ran over networks via tcp/ip,so I wanted to try over the >>> net...it worked,but I was awed that it allowed me to access the >>> databases without anytype of password or login prompt.....I thought >>> maybe I had set it up when I had installed FileMaker on my >>> system....so I installed it on my other workstation...and only set it >>> up to do tcp/ip and then dialed-up and logged right in again....no >>> pass..no login....dont know if anyone has seen this or posted this >>> before...but I havent been able to find anything out about it so >>> far...so I assume this is new.....anyway you need the IP of the target >>> machine which is gotten easily enough by scanning through domains for >>> services on port 5003 ( this seems to be its port ) and simply opening >>> your local copy of FM and then import thier data or whatever....Ive >>> sent what I found to the makers of FileMaker...maybe they know about >>> it...but since playing with this I have noticed a lot of machines >>> running this program and connected to the net..... > >FileMaker Pro (versions 3 and 4) do allow access via TCP/IP (and IPX/SPX), >port 5003 i believe is UDP, not TCP. > >The Database files themselves can have passwords set on them, if you could >open the files without the password, then the database files didn't have >passwords enabled. > >Also, you can hide database files (if running the FileMaker Pro server) by >renaming the database files with an _ (underscore) character before the . >(period), ie: filename_.fp3 > >I wouldn't call this a bug or security breach, the Database administrator >simply didn't set passwords on their database files. Would you let a >stranger off the street into your office to poke around your database? > >FileMaker Pro's password structure seems a little weak, once you have one >of the Dabase files, and have access to a Macintosh, you can crack the >password, using Jackal's "FileMaker Pro Password Viewer" for Macintosh (I >haven't seen the same program for PC yet). But, some security is better >than no security. > > >Hope this helps, >Robert Moss. > http://www.locked.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:30 PDT