[FX.php List] [OFF] Filemaker Web Security?

Joel Shapiro jsfmp at earthlink.net
Thu Sep 4 18:06:01 MDT 2008 

Hi again

This is how the client replied when I asked for more info:
"I keep hearing about "sql injection attacks" being used to  
compromise web pages. So I was wondering if Filemaker had a  
notification service about updates and / or security issues. It may  
be that Filemaker is "flying under the radar" when it comes to  
malware writers and there is little reason for concern. Given the  
security of the Internet nowadays I would rather be safe than sorry."

It seems that FMI does *not* provide (decipherable) security update  
notifications, so I can pass that along to the client.

Investigating "SQL injection attacks" (e.g. <http://www.sitepoint.com/ 
print/sql-injection-attacks-safe/> ), I'm reminded of Jonathan  
Stark's DevCon presentation in which he urged (numerous times) that  
we Filter All Data, incl. the use of htmlentities() & strip_tags()...

Do people here do that on *all* submittable fields?   For all FMFind,  
FMEdit & FMNew?  Is there some guideline as to when that's more or  
less important?  Are there other functions you like to use for this?

Also:

1) Is a site vulnerable to this type attack when using FileMaker  
security for logins (internal or Ext Auth w/ AD OD)?  (My guess is  
"no" since these aren't fields in a web-accessible database...)

2) When using records w/ username & password fields for logins, would  
using the format:
    $login->AddDBParam('UserID','=="'.$_POST['user_name'].'"');
be safe enough to avoid these types of attacks, since FM can't  
process additional code like SQL seemingly can
(e.g. the submission of: ' or 1=1 -- ) ?

3) Are there any such risks within FMEdit calls?  Does it matter  
whether fields are submitted via radio buttons?

4) The above URL cautions against SQL procedures such as xp_cmdshell  
and xp_grantlogin.  Do FileMaker or FX.php (or the API) have any such  
dangerous code?

5) Realistically, if a site is hosted locally, has an SSL cert, and  
has no links from any external pages, is there much risk of it being  
found and thusly hacked?

Thanks,
-Joel


On Sep 3, 2008, at 12:19 PM, Joel Shapiro wrote:

> Hi all
>
> I just received the following question from the IT person at a  
> client of mine and I'm not sure what they're asking for.  Can  
> anybody offer me a clue on how to best respond?
>
> They wrote:
> "Given the number of web site compromises that have occurred, I am  
> wondering about Filemaker server security. Is there a security  
> notification service for Filemaker about vulnerabilities? I worry  
> about possible compromises to the web based FileMaker site on our  
> server."
>
> They are running FMSA9 & FX.php on Windows Server 2003 (one-machine  
> config).  The site has a valid SSL cert., the machine is behind a  
> firewall (such that you need VPN access to open the DB remotely), &  
> FMS has Secure Connections (SSL) enabled between FMS & the WPE.
>
> They've been up and running for over two years.  I upgraded them to  
> FMS9 over the summer, and they made sure their OS was fully up-to- 
> date beforehand.
>
> What kind of " security notification service" might they be looking  
> for?
>
> TIA,
> -Joel
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list