I recently discovered a serious bug in FileMaker Pro's database sharing. FileMaker have just released an advisory about this on their security pages: http://www.filemaker.com/support/security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject: FileMaker Pro network protocol sends passwords to any client attempting to connect to a shared database. Date: 8 April 2003 Author: Stephen White <swhite+fmbugat_private> Application: FileMaker Pro, FileMaker Server Vendor: FileMaker Inc. http://www.filemaker.com/ Versions: 5.0, 5.5, 6.0. All platforms. verified on FileMaker Pro 5.0/Windows 2000, FileMaker Pro 6.0/Windows 2000, FileMaker Server 5.5/Linux. Bug: Remotely obtain passwords - clients connecting via TCP/IP are sent complete list of database passwords. Remote: Yes. Local: It is already known that local users can obtain database passwords, eg. software from http://www.lostpassword.com/filemaker.htm Overview - -------- Vulnerable organisations: those using FileMaker Pro TCP/IP network sharing (including FileMaker Server). Impact: Having obtained a list of passwords for a given database an attacker could use them to either read or modify the potentially sensitive data contained in the database. If, against best practises, the same passwords are used elsewhere within the organisation an attacker could use them as a basis for attacking other systems. Fix / Workaround - ---------------- FileMaker were contacted about this issue on the March 8, 2003. FileMaker have stated that they intend to fix this issue for their next release, they have not stated when this next release will be. They do not appear to intend to produce an update or fix for current releases. Solutions: * Disable 'multi user' or 'TCP/IP' access to FileMaker databases. * If sharing via FileMaker networking (peer-to-peer or client/server) is required ensure that FileMaker Pro hosts and servers are only accessible to trusted intra-net systems through an appropriate Firewall setup. External access could be arranged by using VPN or TCP tunnelling software. * Share data using alternative means, such as web publishing with 'Web Companion' or Lasso, or other middleware or 3rd party plug-ins. I have not tested these so am not in a position to provide specific recommendations * Use alternative database software if these solutions do not address your requirements. Discussion - ---------- FileMaker Pro communicates with servers or multi user databases shared via TCP/IP using a proprietary network protocol. A full analysis of this protocol is not possible due to it's proprietary nature, however it appears that the server exploits the proprietary nature of the protocol by trusting the client to carry out tasks such as validating passwords. In the course of the network communication the server will send the client the list of obscured passwords. The client will then prompt the user to enter a password, which is checked against this list before continuing - a classic example of 'Security by Obscurity'. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+kqj9OzpPCseeW2oRAg2HAJ0Znn4QIRAKUXVrzv54TlP8jFFqdgCgsprD xIm0UuRSFSZVVarmCeLBLzs= =aRI3 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 01:05:30 PDT