4 Replies Latest reply on Sep 26, 2013 11:47 AM by TSGal

    Malformed Script calls  leak data from CWP enabled databases

    Malcolm

      Summary

      Malformed Script calls  leak data from CWP enabled databases

      Product

      FileMaker Server

      Version

      11.0.5.510

      Operating system version

      OS X 10.6.8

      Description of the issue

      newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and it will return a record from the database.

      newPerformScriptCommand($layout, $script, $parameter) can be called with a layout name only and and a Folder name in place of a script name and it will return a record from the database.

      Steps to reproduce the problem

      with a CWP enabled database make a call to newPerformScriptCommand, provide any layout and leave the script name empty.

      In the test I performed I was using a Guest account. No user name or password.
      In the database I had modified the [Guest] account to use a custom privilege set. The privilege set was set to Scripts: All No Access. In this setup no script should be able to be run.

      Expected result

      The function should return an error because a required parameter is missing.

      Actual result

      The database will return a record

      Exact text of any error message(s) that appear

      on error message