Home page logo

bugtraq logo Bugtraq mailing list archives

Re: FileMaker Door
From: RBLevin () HOME COM (RBL)
Date: Sat, 30 May 1998 18:53:23 -0400

With FMP4's Web Companion (essentially a database Web server), I've
discovered at least one vulnerability which can be exploited.  If (1) the
remote user knows the name of the databases, or (2) uses a brute force
attack to divine the name, and (3) the database is stored in FMP4's default
"Web" folder, access to the database will be granted.

Standard FMP4 security will apply.  If the developer has not applied FMP4's
intrinsic database security, full access to the database will be granted.

The solution is to rename the Web folder to something other than "Web."


At 04:12 PM 5/29/98 , you wrote:
Also, with Filemaker 4.0,  databases can be read/written to via http on
port 80 if you enable this feature. The problem is, that any user can add
this "feature" to a particular database,  thus creating a mini-web server
on whatever machine happens to have the database open. We have not tested
the vulnerabilities with this configuration, nor do we care to. As
previously stated, none of these are bugs, just poor software security
design. Maybe some motivated individual wants to test it.  We use Filemaker
in a limited fashion here. We are trying our best to move away from it
entirely, as we feel that its structure and "features" put the PC using the
database at risk.


At 10:42 AM 5/29/98 +1000, Robert Moss wrote:
     While doing some work from home I decided to see if I could open
the database in my office without pc-anywhere using Filemaker Pro...I
knew it ran over networks via tcp/ip,so I wanted to try over the
net...it worked,but I was awed that it allowed me to access the
databases without anytype of password or login prompt.....I thought
maybe I had set it up when I had installed FileMaker on my
system....so I installed it on my other workstation...and only set it
up to do tcp/ip and then dialed-up and logged right in again....no
pass..no login....dont know if anyone has seen this or posted this
before...but I havent been able to find anything out about it so
far...so I assume this is new.....anyway you need the IP of the target
machine which is gotten easily enough by scanning through domains for
services on port 5003 ( this seems to be its port ) and simply opening
your local copy of FM and then import thier data or whatever....Ive
sent what I found to the makers of FileMaker...maybe they know about
it...but since playing with this I have noticed a lot of machines
running this program and connected to the net.....

FileMaker Pro (versions 3 and 4) do allow access via TCP/IP (and IPX/SPX),
port 5003 i believe is UDP, not TCP.

The Database files themselves can have passwords set on them, if you could
open the files without the password, then the database files didn't have
passwords enabled.

Also, you can hide database files (if running the FileMaker Pro server) by
renaming the database files with an _ (underscore) character before the .
(period), ie: filename_.fp3

I wouldn't call this a bug or security breach, the Database administrator
simply didn't set passwords on their database files.  Would you let a
stranger off the street into your office to poke around your database?

FileMaker Pro's password structure seems a little weak, once you have one
of the Dabase files, and have access to a Macintosh, you can crack the
password, using Jackal's "FileMaker Pro Password Viewer" for Macintosh (I
haven't seen the same program for PC yet).  But, some security is better
than no security.

Hope this helps,
Robert Moss.



"It's much easier to apologize than to get permission." - RADM Grace
Hopper, co-inventor of the COBOL programming language, pioneer computer
programmer, and the woman who coined the word "bug" to describe a software

Home page at http://www.ComputerTalk.net

  By Date           By Thread  

Current thread:
  • Re: FileMaker Door RBL (May 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]