[FX.php List] [OFF] Filemaker Web Security?

Andrew Denman adenman at tmea.org
Sun Sep 7 17:16:21 MDT 2008


I believe what ggt is saying is that someone cannot submit a malformed query
directly to your WPE server if it is not accessible to the outside world. If
your main web server is also the WPE server then this is a possible security
risk.

As far as data submitted using FX, you should be OK because as far as I can
tell FX URL encodes everything it sends to the WPE server, preventing
submitted data from affecting the URL. In my experience, the only possible
injection type attacks come from the special search characters that FM
allows you to search with.

Andrew Denman

-----Original Message-----
From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Joel Shapiro
Sent: Saturday, September 06, 2008 1:56 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] [OFF] Filemaker Web Security?

hmm... Can you say any more about that?

Is XML-RPC installed by default in PHP?  It looks like it might need  
to be installed separately.

Also, one site I looked at said the vulnerability through XML-RPC was  
still SQL injection attacks... so if there's no SQL in a FM/PHP  
solution, what's the risk?

-Joel


On Sep 6, 2008, at 12:04 AM, Gjermund Gusland Thorsen wrote:

> It's is simple to avoid "FileMaker XML RPC injections" you make sure
> WPE and web server is on 2 different machines, and you block access to
> WPE from the outside world, but open for the web server.
>
> ggt
>
> 2008/9/6 Dale Bengston <dbengston at tds.net>:
>> Yes. Besides the malicious use of "sql injections" and such,  
>> people copy
>> text from word files, emails, and just about everywhere else and  
>> paste it in
>> your input fields. (This is a good thing - people shouldn't have to
>> re-type.) If they have curly quotes, or other high-ascii stuff,  
>> and their
>> document uses different encoding than your site, weird things can  
>> result.
>> Better to catch it and wash the data before it hits your tables.
>>
>> Dale
>>
>> On Sep 5, 2008, at 2:21 PM, Joel Shapiro wrote:
>>
>>> As to my question "Do people here do that on *all* submittable
>>> fields?...", the "that" I'd meant was filtering the fields in PHP  
>>> before
>>> submission to FM, e.g. using  htmlentities(), strip_tags(), etc.   
>>> Do people
>>> do *that* on all submittable fields?
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list



More information about the FX.php_List mailing list