[FX.php List] The web password in FX

Andrew Denman adenman at tmea.org
Thu Jan 25 11:19:53 MST 2007 

Gary,
 
This is an issue I've seen several people on the net complain about, but
I've never seen anyone provide a good explanation on how to really "fix" it.
The problem is everyone has their database passwords in plain text in their
code files, so all a black hat has to do is get into your files and they
have free reign of your database.
 
The solution is to encrypt your passwords, put the encrypted text in your
code files, and then decrypt them right before connecting to the database.
I've searched for help on doing this in the past and there hasn't been much
out there.  The hard part (especially on hosted websites) is implementing
this in a way that isn't just a smokescreen.
 
I gave up on my past efforts, so I unfortunately don't have any direction to
point you towards other than what's written above.  If you do find something
that works please pass it on.
 
Andrew Denman 
  _____  

From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Gary Sprung
Sent: Thursday, January 25, 2007 12:02 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] The web password in FX
 
Ed,
I think that does answer my question. It shows how an attacker can get at
the data without having access to the web directory. I don't think they
could do more than what that privilege set allows and I definitely turn off
delete for that account. But the intruder still could alter all the data
because the web account has to do read/write to allow users to enter data
via the web.
 
Also, the tip about DEBUG is great! Thanks.
 
GS
 
On Jan 25, 2007, at 8:18 AM, Edward L. Ford wrote:



I always use a strong password because someone can try and attack your
database without access to the PHP files if they try different passwords
using a well-formed URL. Try turning on the DEBUG privilege in an FX page:
you'll see a URL output to the top of your page that looks something like:
 
 
<http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT
.xml?-db=DatabaseName.fp7&-lay=LayoutName>
http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT.
xml?-db=DatabaseName.fp7&-lay=LayoutName
 
Using the right URL in a form like that above, you can view the XML dump of
a record set. Modify that URL in the right way, and you can edit, create,
delete records -- the commands aren't hard to find with Google.
 
-------- 
Gary Sprung
GNURPS Consulting
 
gary at gnurps.com
www.gnurps.com
 
Landline: 720-565-9933
Cell: 303-859-9331
 



 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/f65668d7/attachment-0001.html

More information about the FX.php_List mailing list