[FX.php List] The web password in FX
Gary Sprung
gary at gnurps.com
Thu Jan 25 11:01:37 MST 2007
Ed,
I think that does answer my question. It shows how an attacker can
get at the data without having access to the web directory. I don't
think they could do more than what that privilege set allows and I
definitely turn off delete for that account. But the intruder still
could alter all the data because the web account has to do read/write
to allow users to enter data via the web.
Also, the tip about DEBUG is great! Thanks.
GS
On Jan 25, 2007, at 8:18 AM, Edward L. Ford wrote:
> I always use a strong password because someone can try and attack
> your database without access to the PHP files if they try different
> passwords using a well-formed URL. Try turning on the DEBUG
> privilege in an FX page: you'll see a URL output to the top of your
> page that looks something like:
>
> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>
> Using the right URL in a form like that above, you can view the XML
> dump of a record set. Modify that URL in the right way, and you
> can edit, create, delete records -- the commands aren't hard to
> find with Google.
--------
Gary Sprung
GNURPS Consulting
gary at gnurps.com
www.gnurps.com
Landline: 720-565-9933
Cell: 303-859-9331
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070125/b4529bb2/attachment.html
More information about the FX.php_List
mailing list