[FX.php List] [OFF] Filemaker Web Security?

Joel Shapiro jsfmp at earthlink.net
Sun Sep 7 17:50:36 MDT 2008 

Thanks for the clarification, Andrew.

-Joel


On Sep 7, 2008, at 4:16 PM, Andrew Denman wrote:

> I believe what ggt is saying is that someone cannot submit a  
> malformed query
> directly to your WPE server if it is not accessible to the outside  
> world. If
> your main web server is also the WPE server then this is a possible  
> security
> risk.
>
> As far as data submitted using FX, you should be OK because as far  
> as I can
> tell FX URL encodes everything it sends to the WPE server, preventing
> submitted data from affecting the URL. In my experience, the only  
> possible
> injection type attacks come from the special search characters that FM
> allows you to search with.
>
> Andrew Denman
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org
> [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Joel  
> Shapiro
> Sent: Saturday, September 06, 2008 1:56 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] [OFF] Filemaker Web Security?
>
> hmm... Can you say any more about that?
>
> Is XML-RPC installed by default in PHP?  It looks like it might need
> to be installed separately.
>
> Also, one site I looked at said the vulnerability through XML-RPC was
> still SQL injection attacks... so if there's no SQL in a FM/PHP
> solution, what's the risk?
>
> -Joel
>
>
> On Sep 6, 2008, at 12:04 AM, Gjermund Gusland Thorsen wrote:
>
>> It's is simple to avoid "FileMaker XML RPC injections" you make sure
>> WPE and web server is on 2 different machines, and you block  
>> access to
>> WPE from the outside world, but open for the web server.
>>
>> ggt
>>
>> 2008/9/6 Dale Bengston <dbengston at tds.net>:
>>> Yes. Besides the malicious use of "sql injections" and such,
>>> people copy
>>> text from word files, emails, and just about everywhere else and
>>> paste it in
>>> your input fields. (This is a good thing - people shouldn't have to
>>> re-type.) If they have curly quotes, or other high-ascii stuff,
>>> and their
>>> document uses different encoding than your site, weird things can
>>> result.
>>> Better to catch it and wash the data before it hits your tables.
>>>
>>> Dale
>>>
>>> On Sep 5, 2008, at 2:21 PM, Joel Shapiro wrote:
>>>
>>>> As to my question "Do people here do that on *all* submittable
>>>> fields?...", the "that" I'd meant was filtering the fields in PHP
>>>> before
>>>> submission to FM, e.g. using  htmlentities(), strip_tags(), etc.
>>>> Do people
>>>> do *that* on all submittable fields?
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

More information about the FX.php_List mailing list