[FX.php List] The web password in FX

Gjermund Gusland Thorsen ggt667 at gmail.com
Mon Jan 29 01:46:08 MST 2007


Hmm I do the following

I make a port forwarding from my Airport Express to my webserver on LAN
I also have my FMSA on my LAN
The only WAN address in my setup is the LegalIP of the Airport Express,
however php scripts do contact the FMSA from webserver but only using
the LAN IP subnet.

This leaves executing queries from WAN a hard task as long as you did
not make exploitable scripts.

ggt667

On 1/29/07, Troy Meyers <tcmeyers at troymeyers.com> wrote:
> Ed,
>
> I'm new to all this, having recently come from the FileMaker 6 and CDML world, and this is confusing to me. From the studying I've been doing, it seemed like a bad guy wouldn't be able to get malicious access using the-- http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName  --sort of method unless the fmxml extended privilege was enabled in the FileMaker file? Can't you just disable that to prevent access using XML methods, password or not? Don't you only need the fmphp extended privilege for the PHP script (defined by you, not any external person) to get/create the allowed FileMaker data?
>
> -Troy
>
> Ed Ford wrote:
>
>
> > GGT: Are these logs automatically kept by the server, or is this
> > something you've developed?
> >
> > Gary:
> >
> > As standard practice, I now create 2 web accounts for all
> > applications: one that is read only, and another that is R/W.  For
> > each of these, I limit their access only to the fields absolutely
> > necessary for the PHP part of the app.  On the R/W account, I turn   off
> > delete unless that's a needed privilege for the application.
> >
> > I always use a strong password because someone can try and attack   your
> > database without access to the PHP files if they try different
> > passwords using a well-formed URL.  Try turning on the DEBUG   privilege
> > in an FX page: you'll see a URL output to the top of your   page that
> > looks something like:
> >
> > http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
> > FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
> >
> > Using the right URL in a form like that above, you can view the XML
> > dump of a record set.  Modify that URL in the right way, and you can
> > edit, create, delete records -- the commands aren't hard to find with
> > Google.
> >
> > Moral of the story: Security is paramount, be more secure than you
> > think you need to be. Use a good password and well thought out
> > security privileges in FileMaker to ensure you don't get any nasty
> > surprises!  :-)
> >
> > --Ed
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>


More information about the FX.php_List mailing list