0 Replies Latest reply on Dec 13, 2012 3:31 AM by PhilHolden

    Filemaker Server 12 Email notification reveals user password

    PhilHolden

      Summary

      Filemaker Server 12 Email notification reveals user password

      Product

      FileMaker Server

      Version

      12.0.2.232

      Operating system version

      10.8.2

      Description of the issue

      I'm just setting up this server for the first time. I set up Email Notifications in the server admin console for warnings and errors.

      The email I receive reveals the users password in plain text. I've removed the password in the example below. Here authentication failed because I'm converting files from .fp5 to .fmp12 (via .fp7) and the file now needs a user name and password. The password was passed from a related file that opens this file. So it is the correct password for the solution and I wouldn't want it revealed.

      Once I have debugged my system it is unlikely to be repeated but by then it could be too late.

      Example ==============================================
      FileMaker Server 12.0.2.232 on server.local reported the following event:

      2012-12-13 10:26:50.096 +0000     Warning     661     server.local     Client "Phil Holden (Phil Holden’s Mac Pro) [192.168.1.64]" authentication failed on database "batchlookup.fmp12" using "password [fmapp]".


      Contact information not specified.
      ===================================================

      Steps to reproduce the problem

      We will change the passwords before we go into production so this is not an issue for us but it might be for someone else.

      Expected result

      Passwords should never be revealed in notification emails - ever!

      Actual result

      N/A

      Exact text of any error message(s) that appear

      FileMaker Server 12.0.2.232 on server.local reported the following event:

      2012-12-13 10:26:50.096 +0000     Warning     661     server.local     Client "Client Name (Client Names’s Mac Pro) [192.168.1.64]" authentication failed on database "filename.fmp12" using "password [fmapp]".


      Contact information not specified.

      Workaround

      I've not found any. The password entered is not relevant. I want to be able to not send the password entered in plain text in an email as this is a security hole. Even if the password is wrong it could give a clue to someone you don't want to get clues.