[FX.php List] [OFF] Filemaker Web Security?

Leo R. Lundgren leo at finalresort.org
Thu Sep 4 02:35:57 MDT 2008


OK. Yes that's the impression I've gotten, utter silence. I haven't  
checked, but I wouldn't be surprised not to find anything like a  
changelog or a list of security fixes that have been taken care of in  
the various updates and so on. It's a shame!

I only know one thing for sure; No application have zero security  
issues, and surely not Filemaker :)


4 sep 2008 kl. 10.13 skrev Gjermund Gusland Thorsen:

> Well as most proprietary applications, such things as security is  
> not heard of,
> and if anyone ever reports such an issue, it will be solved in
> silence, and updgrade will be issued IMO.
>
> FileMaker is not exactly open on these issues.
>
> ggt
>
> 2008/9/4 Leo R. Lundgren <leo at finalresort.org>:
>> Sorry, I meant to ask what resources are available, such as  
>> possible mailing
>> lists where Filemaker publishes these kinds of things? I know  
>> there's a
>> TechNet, but in my opinion, one shouldn't have to cash up extra in  
>> order to
>> enjoy security notices. I did a quick look in Filemaker.com but  
>> couldn't
>> find anything but the downloads section with updates to the  
>> products, which
>> isn't the same thing as recieving notices when there's some  
>> security issue
>> to be handled.
>>
>> 4 sep 2008 kl. 09.53 skrev Gjermund Gusland Thorsen:
>>
>>> Well, locally you can pick apart the files and dig out the  
>>> passwords.
>>>
>>> 2008/9/4 Leo R. Lundgren <leo at finalresort.org>:
>>>>
>>>> Do you know what the best source for knowing about any Filemaker
>>>> vulnerabilities, local or nonm-local, is?
>>>>
>>>>
>>>> 4 sep 2008 kl. 09.35 skrev Gjermund Gusland Thorsen:
>>>>
>>>>> Most of FileMaker's vulnerabilities are local.
>>>>>
>>>>> ggt
>>>>>
>>>>> 2008/9/4 Leo R. Lundgren <leo at finalresort.org>:
>>>>>>
>>>>>> I would interpret that question as if they are asking if there  
>>>>>> is any
>>>>>> service where you can be sure to either find or automatically  
>>>>>> recieve
>>>>>> from,
>>>>>> security notifications about vulnerabilities in Filemaker,  
>>>>>> when they
>>>>>> are
>>>>>> discovered and disclosed. Many vendors have this, for example
>>>>>> freebsd.org
>>>>>> has a mailing list that sends out notifications of  
>>>>>> vulnerabilities,
>>>>>> what
>>>>>> products they affect, impacts, possible workarounds, and
>>>>>> solutions/patches.
>>>>>> There are also other vulnerability sites which publish  
>>>>>> vulnerabilities
>>>>>> for
>>>>>> various products.
>>>>>>
>>>>>> I do not know if Filemaker has anything like this, I'm sure  
>>>>>> someone
>>>>>> else
>>>>>> does though. My impression is that it's quite quiet regarding
>>>>>> vulnerabilities for Filemaker.
>>>>>>
>>>>>> In any case, in your scenario, as you say, the PHP frontend  
>>>>>> (your code)
>>>>>> and
>>>>>> the Windows Server itself are probably the primary targets.
>>>>>>
>>>>>>
>>>>>> 3 sep 2008 kl. 21.19 skrev Joel Shapiro:
>>>>>>
>>>>>>> Hi all
>>>>>>>
>>>>>>> I just received the following question from the IT person at  
>>>>>>> a client
>>>>>>> of
>>>>>>> mine and I'm not sure what they're asking for.  Can anybody  
>>>>>>> offer me a
>>>>>>> clue
>>>>>>> on how to best respond?
>>>>>>>
>>>>>>> They wrote:
>>>>>>> "Given the number of web site compromises that have occurred,  
>>>>>>> I am
>>>>>>> wondering about Filemaker server security. Is there a security
>>>>>>> notification
>>>>>>> service for Filemaker about vulnerabilities? I worry about  
>>>>>>> possible
>>>>>>> compromises to the web based FileMaker site on our server."
>>>>>>>
>>>>>>> They are running FMSA9 & FX.php on Windows Server 2003 (one- 
>>>>>>> machine
>>>>>>> config).  The site has a valid SSL cert., the machine is  
>>>>>>> behind a
>>>>>>> firewall
>>>>>>> (such that you need VPN access to open the DB remotely), &  
>>>>>>> FMS has
>>>>>>> Secure
>>>>>>> Connections (SSL) enabled between FMS & the WPE.
>>>>>>>
>>>>>>> They've been up and running for over two years.  I upgraded  
>>>>>>> them to
>>>>>>> FMS9
>>>>>>> over the summer, and they made sure their OS was fully up-to- 
>>>>>>> date
>>>>>>> beforehand.
>>>>>>>
>>>>>>> What kind of " security notification service" might they be  
>>>>>>> looking
>>>>>>> for?
>>>>>>>
>>>>>>> TIA,
>>>>>>> -Joel
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FX.php_List mailing list
>>>>>>> FX.php_List at mail.iviking.org
>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>
>>>>>>
>>>>>> -|
>>>>>>
>>>>>> _______________________________________________
>>>>>> FX.php_List mailing list
>>>>>> FX.php_List at mail.iviking.org
>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>>>
>>>> -|
>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>>
>> -|
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list


-|



More information about the FX.php_List mailing list