[FX.php List] The web password in FX

Gary Sprung gary at gnurps.com
Thu Jan 25 11:01:37 MST 2007


Ed,
I think that does answer my question. It shows how an attacker can  
get at the data without having access to the web directory. I don't  
think they could do more than what that privilege set allows and I  
definitely turn off delete for that account. But the intruder still  
could alter all the data because the web account has to do read/write  
to allow users to enter data via the web.

Also, the tip about DEBUG is great! Thanks.

GS

On Jan 25, 2007, at 8:18 AM, Edward L. Ford wrote:

> I always use a strong password because someone can try and attack  
> your database without access to the PHP files if they try different  
> passwords using a well-formed URL.  Try turning on the DEBUG  
> privilege in an FX page: you'll see a URL output to the top of your  
> page that looks something like:
>
> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/ 
> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>
> Using the right URL in a form like that above, you can view the XML  
> dump of a record set.  Modify that URL in the right way, and you  
> can edit, create, delete records -- the commands aren't hard to  
> find with Google.

--------
Gary Sprung
GNURPS Consulting

gary at gnurps.com
www.gnurps.com

Landline: 720-565-9933
Cell: 303-859-9331



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/b4529bb2/attachment.html


More information about the FX.php_List mailing list