[FX.php List] The web password in FX
Edward L. Ford
elford at cs.bu.edu
Mon Jan 29 10:23:27 MST 2007
FX.php is driven by the 'fmxml' extended privilege -- I can't speak
for Chris Hansen, the author of FX.php, I have theorized that FX
stands for "FileMaker - XML". It opens up your database through XML,
therefore yes, it can be a security risk if not handeled right, but
by the same token, using any of the extended privileges, including
Instant Web Publishing, FileMaker Mobile, fmphp, etc. also opens up
your database to attack if appropriate security measures aren't taken
for each of those circumstances individually.
--Ed
-----------------------------------
http://www.edwardford.net
On Jan 29, 2007, at 11:37 AM, Troy Meyers wrote:
> Ed,
>
> You are right, I see now that the 'fmphp' extended privilege is for
> the FileMaker PHP API. Sorry, guess I'm trying to absorb too much
> new knowledge at once. Is there an equivalent privilege for FX.php?
> Does the 'fmxml' privilege need to be enabled for FX.php to work,
> or will disabling it eliminate the XML security risk but still
> allow my local PHP files to control what data and actions are
> available to a web user (good or bad)?
>
> Thanks for the answer.
>
> -Troy
>
>
> Ed Ford wrote:
>
>> My understanding based on the FileMaker documentation is that if a
>> privilege set is turned off, then the data in the database is
>> unavailable through that method -- so turning off fmxml would indeed
>> prevent XML access through a URL like I specified.
>>
>> However, I'm not sure what you mean by the 'fmphp' extended
>> privilege, because I'm not aware of such a privilege, unless this is
>> something new with FileMaker's new public API for PHP, which I have
>> not tried.
>>
>> --Ed
>>
>> -----------------------------------
>>
> On Jan 28, 2007, at 6:48 PM, Troy Meyers wrote:
>
>> Ed,
>>
>> I'm new to all this, having recently come from the FileMaker 6 and
>> CDML world, and this is confusing to me. From the studying I've
>> been doing, it seemed like a bad guy wouldn't be able to get
>> malicious access using the-- http://
>> WebUserAccount:Password at filemaker.server.com:80/fmi/xml/
>> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName --sort of
>> method unless the fmxml extended privilege was enabled in the
>> FileMaker file? Can't you just disable that to prevent access using
>> XML methods, password or not? Don't you only need the fmphp
>> extended privilege for the PHP script (defined by you, not any
>> external person) to get/create the allowed FileMaker data?
>>
>> -Troy
>>
>> Ed Ford wrote:
>>
>>
>>> GGT: Are these logs automatically kept by the server, or is this
>>> something you've developed?
>>>
>>> Gary:
>>>
>>> As standard practice, I now create 2 web accounts for all
>>> applications: one that is read only, and another that is R/W. For
>>> each of these, I limit their access only to the fields absolutely
>>> necessary for the PHP part of the app. On the R/W account, I
>>> turn off
>>> delete unless that's a needed privilege for the application.
>>>
>>> I always use a strong password because someone can try and
>>> attack your
>>> database without access to the PHP files if they try different
>>> passwords using a well-formed URL. Try turning on the DEBUG
>>> privilege
>>> in an FX page: you'll see a URL output to the top of your page
>>> that
>>> looks something like:
>>>
>>> http://WebUserAccount:Password@filemaker.server.com:80/fmi/xml/
>>> FMPXMLRESULT.xml?-db=DatabaseName.fp7&-lay=LayoutName
>>>
>>> Using the right URL in a form like that above, you can view the XML
>>> dump of a record set. Modify that URL in the right way, and you can
>>> edit, create, delete records -- the commands aren't hard to find
>>> with
>>> Google.
>>>
>>> Moral of the story: Security is paramount, be more secure than you
>>> think you need to be. Use a good password and well thought out
>>> security privileges in FileMaker to ensure you don't get any nasty
>>> surprises! :-)
>>>
>>> --Ed
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20070129/b046fbe1/attachment-0001.html
More information about the FX.php_List
mailing list