filemaker.pro5

2000-05-17T00:00:00
ID PACKETSTORM:10037
Type packetstorm
Reporter Packet Storm
Modified 2000-05-17T00:00:00

Description

                                        
                                            `/*off topic: please in the list disable or add filter to your   
auto-reply*/  
  
from:http://www.blueworld.com/blueworld/news/05.01.00-FM5_Sec  
urity.html  
  
(.../...)  
The precise details of how to exploit   
these holes is minimized to prevent compromising the   
integrity of all current Internet-accessible FileMaker Pro 5   
databases and mail servers. However, details can be easily   
deduced by referencing the FileMaker Pro 5 documentation and   
by consulting the FileMaker XML Technology Overview white   
paper available via the FileMaker XML Central Web site.  
  
1. Anyone on the Internet can view   
all data in a FileMaker Pro 5 Web accessible database   
regardless of Web Database Security preferences set to deny   
such access.  
  
With FileMaker Pro 5 it is possible   
to return data in XML format based upon a request submitted   
by anyone on the Internet. The XML publishing capabilities of   
the FileMaker Pro 5 Web Companion cannot be disabled   
separately from the Web Companion. The XML publishing   
capabilities bypass certain crucial aspects of FileMaker Pro   
5 Web security allowing anyone on the Web to view any data   
within a FileMaker Pro 5 database.  
  
The hole allows anyone to view   
sensitive data contained within FileMaker Pro 5 databases   
such as credit card numbers, passwords, employee records, and   
trade secrets that are not intended for public access.  
  
2. Anyone on the Internet can use the   
Web Companion's email capabilities to retrieve all data   
contained in any FileMaker Pro 5 Web Companion enabled   
database regardless of Web Database Security preferences set   
to deny such access.  
  
FileMaker Pro 5 Web Companion new   
email capabilities include the ability to specify that any   
field in a database be used as the format for the body of the   
email message. This new functionality can be accessed through   
a request submitted by anyone on the Internet. The new email   
capabilities can be used to bypass certain crucial aspects of   
FileMaker Pro 5 Web security allowing anyone on the Web to   
send the contents of any database field via email to   
themselves or a third party.  
  
The hole makes it possible to access   
and rapidly distribute across the Internet sensitive   
information stored in FileMaker Pro 5 databases not intended   
for viewing by the general public.  
  
3. Anyone on the Internet can use Web   
Companion's email capabilities to send anonymous or   
impersonated email thereby compromising the integrity of any   
targeted mail server.  
  
The hole allows anyone to anonymously   
flood email accounts and mask or impersonate the true   
identity and source of the originating message making it   
virtually impossible to trace the origin of malicious   
activity.  
  
For example, anyone on the Web could   
access any organization's FileMaker Pro 5 powered Web site   
and submit a query that contains commands which instruct the   
Web Companion to send an email from the president of the   
organization instructing all employees not to show up to   
work. As the email would originate from the organization's   
own servers, it would be virtually impossible to trace the   
true location of the perpetrator.  
(.../...)  
solutions exist look at   
http://www.blueworld.com/blueworld/news/05.01.00-FM5_Security  
.html  
`