AnsweredAssumed Answered

Malformed Script calls  leak data from CWP enabled databases

Question asked by Malcolm on Aug 27, 2013
Latest reply on Sep 26, 2013 by TSGal

Summary

Malformed Script calls  leak data from CWP enabled databases

Product

FileMaker Server

Version

11.0.5.510

Operating system version

OS X 10.6.8

Description of the issue

newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and it will return a record from the database.

newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and and a Folder name in place of a script name and it will return a record from the database.

Steps to reproduce the problem

with a CWP enabled database make a call to newPerformScriptCommand, provide any layout and leave the script name empty.

In the test I performed I was using a Guest account. No user name or password.
In the database I had modified the [Guest] account to use a custom privilege set. The privilege set was set to Scripts: All No Access. In this setup no script should be able to be run.

Expected result

The function should return an error because a required parameter is missing.

Actual result

The database will return a record

Exact text of any error message(s) that appear

on error message

Outcomes